OpenVPN#

For deployments of the VPN server starting on 2025-12-08, OpenVPN is not enabled “out of the box”.

This document explains how to enable OpenVPN in case you want it.

Portal Configuration#

You need to modify /etc/vpn-user-portal/config.php to enable OpenVPN. See the “OpenVPN” section of Profile Config for all OpenVPN configuration options.

You need to at least set the oRangeFour and oRangeSix options to a valid IPv4 and IPv6 prefixes.

NOTE: if you have both WireGuard and OpenVPN enabled for a VPN profile, OpenVPN will be the default, unless you set the Preferred Protocol to wireguard with the preferredProto option!

To generate some prefixes, you can use the included generate-prefix script, e.g.:

$ /usr/libexec/vpn-user-portal/generate-prefix
10.167.20.0/24
fd0f:f819:9320:dd8a::/64

All other (OpenVPN) settings are optional. By default OpenVPN will listen on port 1194 both on UDP and TCP.

Firewall#

Next, you need to update the firewall to open the relevant ports, and to forward the OpenVPN traffic.

Modify /etc/sysconfig/nftables.conf on Fedora / Enterprise Linux, or /etc/nftables.conf on Debian / Ubuntu.

Inside the input chain, make sure that port 1194 is opened for both UDP and TCP. Inside the forward chain, make sure you add "tun*" to the iifname map:

table inet filter {
    chain input {

        // other rules...

        tcp dport { 22, 80, 443, 1194 } accept
        udp dport { 1194, 51820 } accept

    }

    chain forward {

        // other rules...

        iifname { "tun*", "wg0" } oifname $EXTERNAL_IF accept
    }

    // other chains...

}

If you decided to use other OpenVPN ports, you need to obviously reflect that in the firewall rules. If you are deploying on Fedora / Enterprise Linux, you MAY also need to update the SELinux configuration.

Apply Changes#

$ sudo vpn-maint-apply-changes
$ sudo systemctl restart nftables

Now OpenVPN should be enabled and working!

Single Process#

NOTE: this requires vpn-user-portal >= 3.13.0

OpenVPN >= 2.7 makes it possible to have one OpenVPN process listen on multiple ports, both UDP and TCP using a single OpenVPN server process. The advantage of this is that we do not need to (internally) split the configured IP client prefixes among multiple OpenVPN server processes. The drawback is that there’s only 1 OpenVPN process running which, by design, is only able to saturate one CPU core. However, this drawback can be mitigated with DCO.

If your OS provides OpenVPN >= 2.7, or you can install it on your OS, you can consider enabling “Single Process” mode in /etc/vpn-user-portal/config.php. Add a section OpenVpn in it like this:

// ...

'OpenVpn' => [
    'singleProcess' => true,
],

// ...

If you then “Apply Changes” on your single server, or on your node(s), you’ll get the “Single Process” OpenVPN setup. You can undo this at any time, by removing the OpenVpn section from /etc/vpn-user-portal/config.php and “Apply Changes” again.

To apply changes:

$ sudo vpn-maint-apply-changes

Data Channel Offloading#

Linux kernels >= 6.16 have the Data Channel Offloading (DCO) kernel module available. This is documented upstream.

The advantage of using the DCO module is improved performance, including support for “multi threading”, which may be important when deploying Single Process OpenVPN.

In order to be able to use OpenVPN with DCO, you’ll need both OpenVPN >= 2.7 and the Linux kernel >= 6.16.

We expect the following supported server OSes to have these requirements out of the box:

• Ubuntu 26.04 (April 2026)
• Fedora 44 (April 2026)
• Debian 14 (~August 2027)
• Enterprise Linux 11 (~May 2028)

Enterprise Linux 10 has OpenVPN 2.7 (via EPEL), but no DCO support in the kernel.

It is also possible to deploy this on Debian 13 as well, but it requires using trixie-backports, see Single Process and/or DCO on Debian 13.

MTU#

NOTE: this requires vpn-user-portal >= 3.13.0

It is possible to set the MTU for OpenVPN as well. We earlier implemented support for that for WireGuard. Read that first before attempting to continue here to make sure you need this.

Modify /etc/vpn-user-portal/config.php and add the OpenVpn section if it does not yet exist, and add the setMtu option, e.g.:

// ...

'OpenVpn' => [
    'setMtu' => 1392,
],

// ...

What this option does is set both the MTU for the server processes, as well as include this in the generated OpenVPN client configuration files.

Make sure you apply changes:

$ sudo vpn-maint-apply-changes

Single Process and/or DCO on Debian 13#

NOTE: for “Single Process” OpenVPN, vpn-user-portal >= 3.13.0 is required NOTE: this is NOT officially supported by anyone!

OpenVPN 2.7 as well as a Linux kernel >= 6.16 are available in trixie-backports.

You first need to enable backports. Make sure you understand the ramifications of depending on backports!

You can then choose to install either just OpenVPN from the backports to get support for Single Process support, or both OpenVPN and the Linux kernel to also gain DCO support.

To install OpenVPN:

$ sudo apt install openvpn/trixie-backports

To also install the Linux kernel:

$ sudo apt install linux-image-amd64/trixie-backports

After installing the Linux kernel, a reboot is required. Don’t forget to also enable the Single Process configuration if so desired and “Apply Changes”.