-
Notifications
You must be signed in to change notification settings - Fork 118
Linux CLI configuration file reference
Jason Xu edited this page Jun 12, 2025
·
5 revisions
This page describes the configuration file for the Linux CLI builds. The configuration file is located at ~/.config/Windscribe/windscribe_cli.conf.
Please note that all values are case-sensitive and must match exactly, otherwise they will be unrecognized and revert to the default.
This section contains settings relating to the general operation of the client.
| Name | Default | Allowed values | Description | Comments |
|---|---|---|---|---|
| Language | (system language) | ar, cs, de, en, es, fa, fr, hi, id, it, ja, ko, pl, pt, ru, tr, uk, vi, zh-CN, zh-TW | Displayed language for CLI (does not affect 'help') | |
| LaunchOnStartup | true | true, false | If true, the service is launched when the current user logs in. | If you want to make Windscribe launch at boot instead, you should enable linger on your user with loginctl enable-linger <username>
|
| UpdateChannel | Release | Release, Beta, Guinea Pig | Choose whether to receive stable, beta, or experimental builds. |
This section contains advanced settings. You should not be touching these unless instructed by our support team.
| Name | Default | Allowed values | Description | Comments |
|---|---|---|---|---|
| APIResolutionAddress | 0.0.0.0 - 255.255.255.255 | Alternate IP address to use for the app to contact the Windscribe API. | ||
| APIResolutionMode | Auto | Auto, Manual | Set to manual for the above APIResolutionAddress to take effect. | |
| DNSManager | Auto | Auto, Resolvconf, Systemd-resolved, NetworkManager | Sets the underlying DNS manager on your system. | |
| DNSPolicy | Cloudflare | OS Default, Open DNS, Cloudflare, Google, ControlD | Sets the app internal DNS server | |
| IgnoreSSLErrors | false | true, false | Sets whether to ignore certificate errors. |
This section contains network-specific settings.
| Name | Default | Allowed values | Description | Comments |
|---|---|---|---|---|
| AllowLANTraffic | false | true, false | If true, allows traffic to RFC 1918 networks and link-local addresses while connected to VPN. |
|
| Autoconnect | false | true, false | If true, connects automatically when on a Secured network. |
|
| AutosecureNetworks | true | true, false | If true, when joining a new network, it is marked Secured by default. |
|
| CircumventCensorship | false | true, false | If true, attempts to bypass restrictions on hostile networks. |
|
| ConnectedDNSMode | Auto | Auto, Custom | If 'Auto', use ROBERT for DNS after connecting VPN. If Custom, configure below. | |
| ConnectedDNSUpstream1 | IP address or URL | If ConnectedDNSMode is custom, this DNS server is used when connected to VPN. | You must set ConnectedDNSMode=Custom for this to take effect. | |
| ConnectedDNSUpstream2 | IP address or URL | This DNS server is used for SplitDNS. See SplitDNS. | You must set ConnectedDNSMode=Custom and SplitDNS=true for this to take effect. | |
| ConnectionMode | Auto | Auto, Manual | If Manual, specify which protocol/port to use with ManualConnectionProtocol and ManualConnectionPort. |
|
| FirewallMode | Auto | Auto, Manual, Always On | If Auto, enabled when specified by FirewallWhen. If Manual, you must turn it on and off yourself. |
|
| FirewallWhen | Before Connection | Before Connection, After Connection | Specifies when to turn the firewall on. | |
| MACAddressSpoofingAddress | aabbccddeeff or AA:BB:CC:DD:EE:FF | The MAC address to spoof to. You must set MACAddressSpoofingEnabled=true and MACAddressSpoofingInterface to the desired interface. | You must set MACAddressSpoofingEnabled for this to take effect. This will be overridden if MACAddressSpoofingAutoRotate is true. | |
| MACAddressSpoofingAutoRotate | false | true, false | If true, changes the MAC address every time you connect to a network. |
You must set MACAddressSpoofingEnabled for this to take effect. |
| MACAddressSpoofingEnabled | false | true, false | If true, spoofs the MAC address specified on MACAddressSpoofingInterface |
|
| MACAddressSpoofingInterface | No Interface | No Interface, | The network interface name on which to spoof. | You must set MACAddressSpoofingEnabled for this to take effect. |
| ManualConnectionPort | 443 | IKEv2: 500; UDP: 443, 80, 53, 123, 1194, 54783; TCP: 443, 587, 21, 22, 80, 123, 3306, 8080, 54783, 1194; Stealth: 443, 587, 21, 22, 80, 123, 3306, 8080, 54783, 8443; WStunnel: 443; WireGuard: 443, 80, 53, 123, 1194, 65142 | The port to connect to. | Note that these are typical allowed ports, but may vary. We recommend you stick with 443. You must set ConnectionMode=Manual for this to take effect. |
| ManualConnectionProtocol | WireGuard | WireGuard, UDP, TCP, Stealth, WStunnel | The protocol to connect with. | You must set ConnectionMode=Manual for this to take effect. |
| PacketSizeMTU | -1 | 28 - 65535 | Sets the custom MTU packets. Only affects UDP protocols. | You must set PacketSizeMode=Manual for this to take effect. |
| PacketSizeMode | Auto | Auto, Manual | Set this to Manual to make PacketSizeMTU take effect. | |
| ProxyAddress | 0.0.0.0 - 255.255.255.255 | If you have a LAN proxy, set it here. | You must set ProxyMode=HTTP for this to take effect. | |
| ProxyMode | None | None, HTTP | If set to HTTP, enables LAN proxy functionality. |
|
| ProxyPassword | Your proxy password, if any | |||
| ProxyPort | 0 | 0 - 65535 | Your LAN proxy port. | |
| ProxyUsername | Your LAN proxy username, if any. | |||
| ShareProxyGatewayEnabled | false | true, false | If true, enables a proxy server to share your connection. |
|
| ShareProxyGatewayMode | HTTP | HTTP, SOCKS | Sets the mode for the proxy. | You must set ShareProxyGatewayEnabled=true for this to take effect. |
| ShareProxyGatewayPort | 0 | 0 - 65535 | Port for the proxy to start on. | A value of 0 means 'let Windscribe choose'. You must set ShareProxyGatewayEnabled=true for this to take effect. |
| ShareProxyGatewayWhileConnected | false | true, false | If true, the proxy is only enabled when VPN is connected, to ensure that all proxied traffic goes out via VPN. |
You must set ShareProxyGatewayEnabled=true for this to take effect. |
| SplitDNS | false | true, false | If true, allows you to use a different DNS server for some domains. Specify the domains in SplitDNSHostnames. | |
| SplitDNSHostnames | (comma-separated list of domains) | See above. | You must set ConnectedDNSMode=Custom and SplitDNS=true for this to take effect. | |
| SplitTunnelingApps | (comma-separated list of paths) | Executables to split-tunnel. | You must have SplitTunnelingEnabled=true for this to take effect. | |
| SplitTunnelingEnabled | false | true, false | Enables split-tunneling. Specify apps or IPs/domains with SplitTunnelingApps and SplitTunnelingRoutes | |
| SplitTunnelingMode | Exclude | Exclude, Include | If exclusive, everything will be in the tunnel except apps/routes you specify. If inclusive, everything will be outside the tunnel except apps/routes you specify. | |
| SplitTunnelingRoutes | (comma-separated list of IPs or hostnames) | Specify IPs and/or hostnames to split tunnel. IPs may be in CIDR format. | You must set SplitTunnelingEnabled=true for this to take effect. |
This section contains network-specific settings.
| Name | Default | Allowed values | Description | Comments |
|---|---|---|---|---|
| \NetworkTrustType | Depends on Autosecure Networks
|
Secured, Unsecured | Network-specific setting; Secured means Autoconnect will take effect on this network. Unsecured means Windscribe will automatically disconnect when on this network. |