ericbaranowski · July 26, 2017 22:18
diff --git a/config.ovpn b/config.ovpn
 OpenVPN 2.4.3 x86_64-apple-darwin16.6.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jun 21 2017

 # Local host name or ip address.
 # Implies --bind.
 local <hostname>

 # Remote host name or ip address.
 remote <hostname> [port]

 # If multiple --remote options specified, choose one randomly.
 remote-random

 # Add a random string to remote DNS name.
 remote-random-hostname
     
 # Major mode, m = 'p2p' (default, point-to-point) or 'server'.
 mode m  
     
 # Use protocol p for communicating with peer.
 # p = udp (default), tcp-server, or tcp-client
 proto p 

 # only consider protocol p in list of connection profiles.
 # p = udp6, tcp6-server, or tcp6-client (ipv6)
 proto-force p

 # For client, number of seconds to wait between connection retries (default=5).
 # On repeated retries the wait time is exponentially increased to a maximum of m (default=300).
 connect-retry n [m]

 # Maximum connection attempt retries, default infinite.
 connect-retry-max n

 # Connect to remote host through an HTTP proxy at address s and port p.
 # If proxy authentication is required, up is a file containing username/password on 2 lines, or 'stdin' to prompt from console.
 # Add auth='ntlm' if the proxy requires NTLM authentication.
 http-proxy s p [up] [auth]

 # Like the above directive, but automatically determine auth method and query for username/password if needed.
 # auto-nct disables weak proxy auth methods.
 http-proxy s p 'auto[-nct]'

 # Set extended HTTP proxy options.
 # Repeat to set multiple options.
 # VERSION version (default=1.0) AGENT user-agent
 http-proxy-option type [parm]

 # Connect to remote host through a Socks5 proxy at address s and port p (default port = 1080).
 # If proxy authentication is required, up is a file containing username/password on 2 lines, or 'stdin' to prompt for console.
 socks-proxy s [p] [up]

 # Retry indefinitely on Socks proxy errors.
 socks-proxy-retry

 # If hostname resolve fails for --remote, retry resolve for n seconds before failing (disabled by default).
 # Set n="infinite" to retry indefinitely.
 resolv-retry n
       
 # Allow remote to change its IP address/port, such as through DHCP (this is the default if --remote is not used).
 float 

 # Run command cmd on remote ip address initial setting or change -- execute as: cmd ip-address port#
 ipchange cmd 
   
 # TCP/UDP port # for both local and remote.
 port port 
   
 # TCP/UDP port # for local (default=1194).
 # Implies --bind.
 lport port
  
 # TCP/UDP port # for remote (default=1194).
 rport port 
        
 # Bind to local address and port. (This is the default unless --proto tcp-client or --http-proxy or --socks-proxy is used).
 bind 
      
 # Do not bind to local address and port.
 nobind 

 # tun/tap device (X can be omitted for dynamic device.
 dev tunX|tapX
 
 # Which device type are we using? (dt = tun or tap)
 # Use this option only if the tun/tap device used with --dev does not begin with "tun" or "tap".
 dev-type dt 

 # Explicitly set the device node rather than using /dev/net/tun, /dev/tun, /dev/tap, etc.
 dev-node node
   
 # Set the link layer address of the tap device.
 lladdr hw 
   
 # Set --dev tun topology: 'net30', 'p2p', or 'subnet'.
 topology t

 # TUN: configure device to use IP address l as a local endpoint and rn as a remote endpoint.
 #  l & rn should be swapped on the other peer.
 #  l & rn must be private addresses outside of the subnets used by either peer.
 # TAP: configure device to use IP address l as a local endpoint and rn as a subnet mask.
 ifconfig l rn

 # configure device to use IPv6 address l as local endpoint (as a /64) and r as remote endpoint
 ifconfig-ipv6 l r

 # Don't actually execute ifconfig/netsh command, instead pass --ifconfig parms by environment to scripts.
 ifconfig-noexec

 # Don't warn if the --ifconfig option on this side of the connection doesn't match the remote side.
 ifconfig-nowarn

 # Add route to routing table after connection is established.
 # Multiple routes can be specified.
 # netmask default: 255.255.255.255 gateway default: taken from --route-gateway or --ifconfig Specify default by leaving blank or setting to "nil".
 route network [netmask] [gateway] [metric]

 # Add IPv6 route to routing table after connection is established.
 # Multiple routes can be specified.
 # gateway default: taken from 'remote' in --ifconfig-ipv6
 route-ipv6 network/bits [gateway] [metric]

 # Specify a default gateway for use with --route.
 route-gateway gw|'dhcp'

 # Specify a default metric for use with --route.
 route-metric m

 # Delay n seconds after connection initiation before adding routes (may be 0).
 # If not specified, routes will be added immediately after tun/tap open.
 # On Windows, wait up to w seconds for TUN/TAP adapter to come up.
 route-delay n [w]
 
 # Run command cmd after routes are added.
 route-up cmd

 # Run command cmd before routes are removed.
 route-pre-down cmd
 
 # Don't add routes automatically.
 # Instead pass routes to --route-up script using environmental variables.
 route-noexec
 
 # When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options.
 route-nopull

 # Allow client to pull DNS names from server for   --ifconfig, --route, and --route-gateway.
 allow-pull-fqdn

 # Automatically execute routing commands to redirect all outgoing IP traffic through the VPN.
 # Add 'local' flag if both OpenVPN servers are directly connected via a common subnet, such as with WiFi.
 # Add 'def1' flag to set default route using using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0.
 # Add 'bypass-dhcp' flag to add a direct route to DHCP server, bypassing tunnel.
 # Add 'bypass-dns' flag to similarly bypass tunnel for DNS.
 redirect-gateway [flags]

 # Like --redirect-gateway, but omit actually changing the default gateway.
 # Useful when pushing private subnets.
 redirect-private [flags]

 # on client add 1-to-1 NAT rule.
 client-nat snat|dnat network netmask alias

 # (client only) push client info to server.
 push-peer-info

 # Set a custom environmental variable to pass to script.
 setenv name value

 # Relax config file syntax checking to allow directives for future OpenVPN versions to be ignored.
 setenv FORWARD_COMPATIBLE 1

 # Relax config file syntax.
 # Allow these options to be ignored when unknown
 ignore-unkown-option opt1 opt2 ...

 # Where level can be:
 # 0 -- strictly no calling of external programs
 # 1 -- (default) only call built-ins such as ifconfig
 # 2 -- allow calling of built-ins and scripts
 # 3 -- allow password to be passed to scripts via env
 script-security level
     
 # Restrict output to peer to n bytes per second.
 shaper n

 # Helper option for setting timeouts in server mode.
 # Send ping once every n seconds, restart if ping not received for m seconds.
 keepalive n m

 # Exit after n seconds of activity on tun/tap device produces a combined in/out byte count < bytes.
 inactive n [bytes]
 
 # Exit if n seconds pass without reception of remote ping.
 ping-exit n 

 # Restart if n seconds pass without reception of remote ping.
 ping-restart n

 # Run the --ping-exit/ping-restart timer only if we have a
 ping-timer-rem
     
 # Ping remote once every n seconds over TCP/UDP port.
 ping n  
    
 # Configure a multi-homed UDP server.
 multihome
     
 # (experimental) Optimize TUN/TAP/UDP writes.
 fast-io 
 
 # On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').
 remap-usr1 s
 
 # Keep tun/tap device open across SIGUSR1 or --ping-restart.
 persist-tun 

 # Keep remote IP address across SIGUSR1 or --ping-restart.
 persist-remote-ip

 # Keep local IP address across SIGUSR1 or --ping-restart.
 persist-local-ip 
 
 # Don't re-read key files across SIGUSR1 or --ping-restart.
 persist-key 
      
 # TOS passthrough (applies to IPv4 only).
 passtos
   
 # Take the tun/tap device MTU to be n and derive the TCP/UDP MTU from it (default=1500).
 tun-mtu n 

 # Assume that tun/tap device might return as many as n bytes more than the tun-mtu size on read (default TUN=0 TAP=32).
 tun-mtu-extra n
   
 # Take the TCP/UDP device MTU to be n and derive the tun MTU from it.
 link-mtu n

 # Should we do Path MTU discovery on TCP/UDP channel?
 # 'no' -- Never send DF (Don't Fragment) frames
 # 'maybe' -- Use per-route hints
 # 'yes' -- Always DF (Don't Fragment)
 mtu-disc type
    
 # Empirically measure and report MTU.
 mtu-test 

 # Enable internal datagram fragmentation so that no UDP datagrams are sent which are larger than max bytes.
 # Adds 4 bytes of overhead per datagram.
 fragment max 

 # Set upper bound on TCP MSS, default = tun-mtu size or --fragment max value, whichever is lower.
 mssfix [n] 

 # Set the TCP/UDP send buffer size.
 sndbuf size 

 # Set the TCP/UDP receive buffer size.
 rcvbuf size 
 
 # Set the tun/tap TX queue length to n (Linux only).
 txqueuelen n
        
 # Disable Paging -- ensures key material and tunnel data will never be written to disk.
 mlock
      
 # Run command cmd after successful tun device open.
 # Execute as: cmd tun/tap-dev tun-mtu link-mtu ifconfig-local-ip ifconfig-remote-ip (pre --user or --group UID/GID change)
 up cmd 
   
 # Delay tun/tap open and possible --up script execution until after TCP/UDP connection establishment with peer.
 up-delay  
     
 # Run command cmd after tun device close. (post --user/group UID/GID change and/or --chroot) (command parameters are same as --up option)
 down cmd
     
 # Run --down command before TUN/TAP close.
 down-pre
  
 # Run up/down commands for all restarts including those caused by --ping-restart or SIGUSR1
 up-restart 
   
 # Set UID to user after initialization.
 user user 
 
 # Set GID to group after initialization.
 group group 
  
 # Chroot to this directory after initialization.
 chroot dir 
       
 # Change to this directory before initialization.
 cd dir

 # Become a daemon after initialization.
 # The optional 'name' parameter will be passed as the program name to the system logger.
 daemon [name]

 # Output to syslog, but do not become a daemon.
 # See --daemon above for a description of the 'name' parm.
 syslog [name]

 # Run as an inetd or xinetd server.
 # See --daemon above for a description of the 'name' parm.
 inetd [name] ['wait'|'nowait']
    
 # Output log to file which is created/truncated on open.
 log file 

 # Append log to file, or create file if nonexistent.
 log-append file

 # Don't log timestamps to stdout/stderr.
 suppress-timestamps

 # Always log timestamp, message flags to stdout/stderr.
 machine-readable-output

 # Write main process ID to file.
 writepid file
      
 # Change process priority (>0 = lower, <0 = higher).
 nice n 

 # Echo parameters to log output.
 echo [parms ...]
      
 # Set output verbosity to n (default=1): (Level 3 is recommended if you want a good summary of what's happening without being swamped by output).
 # 0 -- no output except fatal errors
 # 1 -- startup info + connection initiated messages + non-fatal encryption & net errors
 # 2,3 -- show TLS negotiations & route info
 # 4 -- show parameters
 # 5 -- show 'RrWw' chars on console for each packet sent and received from TCP/UDP (caps) or tun/tap (lc)
 # 6 to 11 -- debug messages of increasing verbosity
 verb n 
   
 # Log at most n consecutive messages in the same category.
 mute n 

 # Write operational status to file every n seconds.
 status file n

 # Choose the status file format version number.
 # Currently, n can be 1, 2, or 3 (default=1).
 status-version [n]
 
 # Disable options consistency check between peers.
 disable-occ 
 
 # Use compression algorithm alg
 compress alg
    
 # Use LZO compression -- may add up to 1 byte per packet for uncompressible data.
 comp-lzo 
 
 # Don't use adaptive compression when --comp-lzo is specified.
 comp-noadapt

 # Enable a TCP server on ip:port to handle management functions.
 # pass is a password file or 'stdin' to prompt from console.
 # To listen on a unix domain socket, specific the pathname in place of ip and use 'unix' as the port number.
 management ip port [pass]

 # Management interface will connect as a TCP client to ip/port rather than listen as a TCP server.
 management-client

 # Query management channel for private key and auth-user-pass passwords.
 management-query-passwords

 # Query management channel for proxy information.
 management-query-proxy

 # Query management channel for --remote directive.
 management-query-remote

 # Start OpenVPN in a hibernating state, until a client of the management interface explicitly starts it.
 management-hold

 # Issue SIGUSR1 when management disconnect event occurs.
 management-signal

 # Forget passwords when management disconnect event occurs.
 management-forget-disconnect

 # Report tunnel up/down events to management interface.
 management-up-down

 # Cache n lines of log file history for usage by the management channel.
 management-log-cache n
 
 # When management interface is a unix socket, only allow connections from user u.
 management-client-user u

 # When management interface is a unix socket, only allow connections from group g.
 management-client-group g

 # gives management interface client the responsibility to authenticate clients after their client certificate has been verified.
 management-client-auth

 # management interface clients must specify a packet filter file for each connecting client.
 management-client-pf

 # Load plug-in module m passing str as an argument to its initialization function.
 plugin m [str]

 # Helper option to easily configure server mode.
 server network netmask

 # Configure IPv6 server mode.
 server-ipv6 network/bits

 # Helper option to easily configure ethernet bridging server mode.
 server-bridge [IP netmask pool-start-IP pool-end-IP]

 # Push a config file option back to the peer for remote execution.
 # Peer must specify --pull in its config file.
 push "option"
   
 # Don't inherit global push list for specific client instance.
 push-reset

 # Set aside a pool of subnets to be dynamically allocated to connecting clients.
 ifconfig-pool start-IP end-IP [netmask]

 # Use individual addresses rather than /30 subnets in tun mode.
 # Not compatible with Windows clients.
 ifconfig-pool-linear

 # Persist/unpersist ifconfig-pool data to file, at seconds intervals (default=600).
 # If seconds=0, file will be treated as read-only.
 ifconfig-pool-persist file [seconds]

 # set aside an IPv6 network block to be dynamically allocated to connecting clients.
 ifconfig-ipv6-pool base-IP/bits

 # Push an ifconfig option to remote, overrides --ifconfig-pool dynamic allocation.
 # Only valid in a client-specific config file.
 ifconfig-push local remote-netmask

 # Push an ifconfig-ipv6 option to remote, overrides --ifconfig-ipv6-pool allocation.
 # Only valid in a client-specific config file.
 ifconfig-ipv6-push local/bits remote

 # Route subnet to client.
 iroute network [netmask]

 # Route IPv6 subnet to client.
 # Sets up internal routes only.
 # Only valid in a client-specific config file.
 iroute-ipv6 network/bits
     
 # Client is disabled.
 # Only valid in a client-specific config file.
 disable 

 # Don't require client certificate, client will authenticate using username/password.
 client-cert-not-required

 # perform no, optional or mandatory client certificate verification.
 # Default is to require the client to supply a certificate.
 verify-client-cert [none|optional|require]
 
 # For auth-user-pass authentication, use the authenticated username as the common name, rather than the common name from the client cert.
 username-as-common-name

 # Query client for username/password and run command cmd to verify.
 # If method='via-env', pass user/pass via environment, if method='via-file', pass user/pass via temporary file.
 auth-user-pass-verify cmd method

 # Generate a random authentication token which is pushed to each client, replacing the password.
 # Usefull when OTP based two-factor auth mechanisms are in use and --reneg-* options are enabled.
 # Optionally a lifetime in seconds for generated tokens can be set.
 auth-gen-token  [lifetime]
 
 # Clients that connect with options that are incompatible with those of the server will be disconnected.
 opt-verify  

 # Allow connections by clients that don't specify a username/password.
 auth-user-pass-optional

 # Allow Common Name and X509 Subject to include any printable character.
 no-name-remapping

 # Internally route client-to-client traffic.
 client-to-client
 
 # Allow multiple clients with the same common name to concurrently connect.
 duplicate-cn

 # Run command cmd on client connection.
 client-connect cmd

 # Run command cmd on client disconnection.
 client-disconnect cmd

 # Directory for custom client config files.
 client-config-dir dir

 # Refuse connection unless custom client config is found.
 ccd-exclusive
 
 # Temporary directory, used for --client-connect return file and plugin communication.
 tmp-dir dir 

 # Set the size of the real address hash table to r and the virtual address table to v.
 hash-size r v

 # Allocate n broadcast buffers.
 bcast-buffers n

 # Maximum number of queued TCP output packets.
 tcp-queue-limit n
 
 # Macro that sets TCP_NODELAY socket flag on the server as well as pushes it to connecting clients.
 tcp-nodelay 

 # Run command cmd to validate client virtual addresses.
 learn-address cmd

 # Allow a maximum of n new connections per s seconds.
 connect-freq n s

 # Allow a maximum of n simultaneously connected clients.
 max-clients n

 # Allow a maximum of n internal routes per client.
 max-routes-per-client n

 # Remove routes with a last activity timestamp older than n seconds.
 # Run this check every t seconds (defaults to n).
 stale-routes-check n [t]

 # In UDP server mode send [RESTART] command on exit/restart to connected clients.
 # n = 1 connect to same server, 2 once to next server, default=1.
 explicit-exit-notify [n]

 # When run in TCP mode, proxy incoming HTTPS sessions to a web server at host:port.
 # dir specifies an optional directory to write origin IP:port data.
 port-share host port [dir]
        
 # Helper option to easily configure client mode.
 client

 # Authenticate with server using username/password.
 # up is a file containing the username on the first line, and a password on the second.
 # If either the password or both the username and the password are omitted OpenVPN will prompt for them from console.
 auth-user-pass [up]
          
 # Accept certain config file options from the peer as if they were part of the local config file.
 #  Must be specified when connecting to a 'mode server' remote host.
 pull

 # Filter each option received from the server if it starts with the text t.
 # The action flag accept, ignore or reject causes the option to be allowed, removed or rejected with error.
 # May be specified multiple times, and each filter is applied in the order of appearance.
 pull-filter accept|ignore|reject t
 
 # How to handle auth failures.
 # Set t to none (default), interact, or nointeract.
 auth-retry t

 # Enable static challenge/response protocol using challenge text t, with e indicating echo flag (0|1)
 static-challenge t e

 # when polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server.
 connect-timeout n

 # When this option is set, OpenVPN will not drop incoming tun packets with same destination as host.
 allow-recursive-routing

 # On exit/restart, send exit signal to server/remote.
 # n = # of retries, default=1.
 explicit-exit-notify [n]

 # Enable Static Key encryption mode (non-TLS).
 # Use shared secret file f, generate with --genkey.
 # The optional d parameter controls key directionality.
 # If d is specified, use separate keys for each direction, set d=0 on one side of the connection, and d=1 on the other side.
 secret f [d] 
    
 # Authenticate packets with HMAC using message digest algorithm alg (default=SHA1).
 # (usually adds 16 or 20 bytes per packet) Set alg=none to disable authentication.
 auth alg 
   
 # Encrypt packets with cipher algorithm alg (default=BF-CBC).
 # Set alg=none to disable encryption.
 cipher alg

 # List of ciphers that are allowed to be negotiated.
 ncp-ciphers list
 
 # Disable cipher negotiation.
 ncp-disable 

 # For PRNG, use digest algorithm alg, and  nonce_secret_len=nsl.
 #  Set alg=none to disable PRNG.
 prng alg [nsl]
  
 # Size of cipher key in bits (optional).
 # If unspecified, defaults to cipher-specific default.
 keysize n  

 # Enable OpenSSL hardware crypto engine functionality.
 engine [name]
   
 # Disable replay protection.
 no-replay 

 # Silence the output of replay warnings to log file.
 mute-replay-warnings

 # Use a replay protection sliding window of size n and a time window of t seconds.
 # Default n=64 t=15
 replay-window n [t] 
       
 # Disable cipher IV -- only allowed with CBC mode ciphers.
 no-iv 

 # Persist replay-protection state across sessions using file.
 replay-persist file
  
 # Run a self-test of crypto features enabled.
 # For debugging only.
 test-crypto
  
 # Enable TLS and assume server role during TLS handshake.
 tls-server 
 
 # Enable TLS and assume client role during TLS handshake.
 tls-client  

 # Data channel key exchange method.
 #  m should be a method number, such as 1 (default), 2, etc.
 key-method m 
    
 # Certificate authority file in .pem format containing root certificate.
 ca file  

 # A directory of trusted certificates (CAs and CRLs).
 capath dir   
    
 # File containing Diffie Hellman parameters in .pem format (for --tls-server only).
 # Use "openssl dhparam ------h1024.pem 1024" to generate.
 dh file  
   
 # Local certificate in .pem format -- must be signed by a Certificate Authority in --ca file.
 cert file 

 # one or more PEM certs that complete the cert chain.
 extra-certs file
    
 # Local private key in .pem format.
 key file 

 # sets the minimum TLS version we will accept from the peer.
 #  If version is unrecognized and 'or-highest' is specified, require max TLS version supported by SSL implementation.
 tls-version-min <version> ['or-highest']

 # sets the maximum TLS version we will use.
 tls-version-max <version>
 
 # PKCS#12 file containing local private key, local certificate and optionally the root CA certificate.
 pkcs12 file 

 # Specify fingerprint for level-1 certificate.
 # Valid algo flags are SHA1 and SHA256.
 # 
 verify-hash hash [algo]

 # A list l of allowable TLS ciphers separated by (optional).
 # Use --show-tls to see a list of supported TLS ciphers.
 tls-cipher l 

 # Packet retransmit timeout on TLS control channel if no ACK from remote within n seconds (default=2).
 tls-timeout n

 # Renegotiate data chan.
 # key after n bytes sent and recvd.
 reneg-bytes n

 # Renegotiate data chan.
 # key after n packets sent and recvd.
 reneg-pkts n 
 
 # Renegotiate data chan.
 # key after n seconds (default=3600).
 reneg-sec n 

 # Data channel key exchange must finalize within n seconds of handshake initiation by any peer (default=60).
 hand-window n

 # Transition window -- old key can live this many seconds after new key renegotiation begins (default=3600).
 tran-window n

 # Allow only one session (reset state on restart).
 single-session
    
 # Exit on TLS negotiation failure.
 tls-exit 

 # Add an additional layer of authentication on top of the TLS control channel to protect against attacks on the TLS stack and DoS attacks.
 # f (required) is a shared-secret key file.
 # The optional d parameter controls key directionality, see --secret option for more info.
 tls-auth f [d]

 # Add an additional layer of authenticated encryption on top of the TLS control channel to hide the TLS certificate, provide basic post-quantum security and protect against attacks on the TLS stack and DoS attacks.
 # key (required) provides the pre-shared key file.
 # see --secret option for more info.
 tls-crypt key

 # Get PEM password from controlling tty before we daemonize.
 askpass [file]

 # Don't cache --askpass or --auth-user-pass passwords.
 auth-nocache 

 # Check peer certificate against a CRL.
 crl-verify crl ['dir']

 # Run command cmd to verify the X509 name of a pending TLS connection that has otherwise passed all other tests of certification.
 #  cmd should return 0 to allow TLS handshake to proceed, or 1 to fail.
 #  (cmd is executed as 'cmd certificate_depth subject')
 tls-verify cmd

 # Get peer cert in PEM format and store it  in an openvpn temporary file in [directory].
 # Peer cert is  stored before tls-verify script execution and deleted after.
 tls-export-cert [directory]

 # Accept connections only from a host with X509 subject DN name.
 # The remote host must also pass all other tests of verification.
 verify-x509-name name

 # (DEPRECATED) Require that peer certificate was signed with  an explicit nsCertType designation t = 'client' | 'server'.
 ns-cert-type t

 # Save peer X509 attribute x in environment for use by plugins and management interface.
 x509-track x 

 # Save Exported Keying Material (RFC5705) of len bytes (min.
 # 16 bytes) using label in environment for use by plugins.
 keying-material-exporter label len

 # Require that the peer certificate was signed with explicit key usage, you can specify more than one value.
 # value should be given in hex format.
 remote-cert-ku v ...

 # Require that the peer certificate was signed with explicit extended key usage.
 # Extended key usage can be encoded as an object identifier or OpenSSL string representation.
 remote-cert-eku oid

 # Require that peer certificate was signed with explicit key usage and extended key usage based on RFC3280 TLS rules.
 # t = 'client' | 'server'.
 remote-cert-tls t

 # PKCS#11 provider to load.
 pkcs11-providers provider ...

 # Use PKCS#11 protected authentication path.
 # Set for each provider.
 pkcs11-protected-authentication [0|1] ...

 # PKCS#11 private key mode mask.
 pkcs11-private-mode hex ...
 # 

 # Set if login should be performed before certificate can be accessed.
 # Set for each provider.
 pkcs11-cert-private [0|1] ...

 # Number of seconds to cache PIN.
 # The default is ------ cache until token is removed.
 pkcs11-pin-cache seconds

 # Acquire identity from management interface.
 pkcs11-id-management

 # Identity to use, get using standalone --show-pkcs11-ids
 pkcs11-id serialized-id 'id' 

 # Show cipher algorithms to use with --cipher option.
 show-ciphers

 # Show message digest algorithms to use with --auth option.
 show-digests 

 # Show hardware crypto accelerator engines (if available).
 show-engines

 # Show all TLS ciphers (TLS used only as a control channel).
 show-tls     

 # Generate a random key to be used as a shared secret, for use with the --secret option.
 genkey       

 # Write key to file.
 secret file  

 # Show PKCS#11 available ids.
 # --verb option can be added *BEFORE* this.
 show-pkcs11-ids provider [cert_private]