sing-box-extended/examples/openvpn/tls-crypt.json

{
  "log": {
    "level": "info"
  },
  "inbounds": [
    {
      "type": "mixed",
      "tag": "mixed-in",
      "listen_port": 7897
    }
  ],
  "outbounds": [
    {
      "type": "openvpn",
      "tag": "openvpn-out",
      "servers": [
        {
          "server": "vpn.example.com",
          "server_port": 1194
        }
      ],
      "proto": "udp", // udp, tcp
      "cipher": "AES-256-GCM", // AES-128-GCM, AES-192-GCM, AES-256-GCM, AES-128-CBC, AES-192-CBC, AES-256-CBC, CHACHA20-POLY1305
      "auth": "SHA256", // SHA1, SHA256, SHA384, SHA512 (ignored for AEAD ciphers)
      "tls_crypt": "-----BEGIN OpenVPN Static key V1-----\n...\n-----END OpenVPN Static key V1-----",
      // or: "tls_crypt_path": "/path/to/ta.key",
      "ping_interval": "10s",
      "reconnect_delay": "30s",
      "tls": {
        "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
        // or: "certificate_path": "/path/to/client.crt",
        "key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----",
        // or: "key_path": "/path/to/client.key",
        "ca": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
        // or: "ca_path": "/path/to/ca.crt",
        "cipher_suites": [],
        "verify_x509_name": "",
        "verify_x509_name_mode": "", // name-prefix, name-suffix, exact (default)
        "fragment": false,
        "fragment_fallback_delay": "300ms",
        "record_fragment": false,
        "kernel_tx": false,
        "kernel_rx": false
      }
      // Dial Fields
    }
  ],
  "route": {
    "final": "openvpn-out",
    "auto_detect_interface": true
  }
}