diff --git a/net/openvpn/files/lib/netifd/proto/openvpn.sh b/net/openvpn/files/lib/netifd/proto/openvpn.sh
index ffb1ed6e1c..5ee97dd3f8 100755
--- a/net/openvpn/files/lib/netifd/proto/openvpn.sh
+++ b/net/openvpn/files/lib/netifd/proto/openvpn.sh
@@ -50,11 +50,24 @@ option_builder() {
 				file)
 					json_get_var v "$f"
 					[ -f "$v" ] || continue
-					[ -n "$v" ] && append exec_params " --${f//_/-} $v"
+					[ -n "$v" ] && append exec_params " --${f//_/-} \"$v\""
 					;;
 				list)
-					json_get_values v "$f"
-					[ -n "${v}" ] && append exec_params "$(for d in $v; do echo " --${f//_/-} $d"; done)"
+					local type
+					json_get_type type "$f"
+					case "$type" in
+					object|array)
+						local keys key
+						json_select "$f"
+						json_get_keys keys
+						for key in $keys; do
+							json_get_var val "$key"
+							append exec_params " --${f//_/-} \"$val\""
+						done
+						json_select ..
+						;;
+					*)  ;;
+					esac
 					;;
 			esac
 		fi
@@ -114,7 +127,6 @@ proto_openvpn_setup() {
 	append exec_params " --syslog openvpn_$config"
 	append exec_params " --tmp-dir /var/run"
 
-	# alllow deprecated OpenVPN configuration values by default
 	json_get_var ALLOW_DEPRECATED allow_deprecated
 	[ -z "$ALLOW_DEPRECATED" ] && ALLOW_DEPRECATED=0
 
@@ -196,10 +208,10 @@ proto_openvpn_setup() {
 			-p daemon.warn "Default hotplug processing disabled, as the openvpn configuration 'script_security' is less than '3'"
 	fi
 
-	# shellcheck disable=SC2086
-	proto_run_command "$config" openvpn $exec_params
+	eval "set -- $exec_params"
+	proto_run_command "$config" openvpn "$@"
 
-	# last param wins; user provided status or syslog supersedes these.
+	# last param wins; user provided status or syslog supersedes.
 }
 
 proto_openvpn_renew() {
diff --git a/net/openvpn/files/lib/netifd/proto/openvpn.uc b/net/openvpn/files/lib/netifd/proto/openvpn.uc
index 69dac66ee1..1dc823e468 100755
--- a/net/openvpn/files/lib/netifd/proto/openvpn.uc
+++ b/net/openvpn/files/lib/netifd/proto/openvpn.uc
@@ -87,7 +87,6 @@ const OPENVPN_STRING_PARAMS = [
 	{ name: 'proto_force' },
 	{ name: 'providers' },
 	{ name: 'pull_filter' },
-	{ name: 'push' },
 	{ name: 'push_remove' },
 	{ name: 'redirect_gateway' },
 	{ name: 'redirect_private' },
@@ -303,7 +302,10 @@ function add_param(params, key, value) {
 	let flag = `--${replace(key, '_', '-')}`;
 	push(params, flag);
 	if (value)
-		push(params, value);
+		if (key === "push")
+			push(params, `"${value}"`);
+		else
+			push(params, value);
 }
 
 function build_exec_params(cfg) {
diff --git a/net/openvpn/files/usr/share/openvpn/openvpn.options b/net/openvpn/files/usr/share/openvpn/openvpn.options
index a253446472..2497f13a25 100644
--- a/net/openvpn/files/usr/share/openvpn/openvpn.options
+++ b/net/openvpn/files/usr/share/openvpn/openvpn.options
@@ -73,7 +73,6 @@ port_share
 proto_force
 providers
 pull_filter
-push
 push_remove
 redirect_gateway
 redirect_private