Skip to main content

OpenVPN 3 Linux Client

The OpenVPN 3 Linux client is the official next-generation command-line client for Linux systems. It supports modern features for both open-source community users and commercial OpenVPN product users (Access Server and CloudConnexa).

What is OpenVPN 3 Linux?

OpenVPN 3 Linux is a user-space implementation built on the same core library used by OpenVPN Connect. Unlike the older OpenVPN 2.x clients, this version offers:

  • Unprivileged user support.

  • Automatic DNS configuration.

  • Access control for configuration and session management.

  • D-Bus integration and Python 3 support for scripting and automation.

Note

There is no GUI client (OpenVPN Connect) for Linux. This is a command-line-only client.

Installation

We provide packages for Ubuntu, Debian, RHEL, and Fedora. Refer to these for reference:

Using OpenVPN 3 Linux with Access Server

You can connect to Access Server using the openvpn3-as tool included in the client package. Follow the detailed steps in this article:

Advanced features

Configuration and session access control (ACL)

  • To associate a connection profile (.ovpn file) with a configuration file:

    openvpn3 config-import --config Brandon.ovpn --name <MY_CONFIG_NAME> --persistent

    Tip

    The <MY_CONFIG_NAME> (configuration file) is an "alias name" associated with your connection profile (.ovpn file).

  • To list all available configuration profiles, run this command:

    openvpn3 configs-list

    Important

    A configuration file typically contains generic options to connect to a specific server, regardless of the Device itself. OpenVPN 3 Linux also supports setting more Host-specific settings on a configuration Profile. This is handled via the openvpn3 config-manage interface. Any settings here will also be preserved across boots if the configuration Profile was imported with the --persistent argument.

  • To start a VPN session:

    openvpn3 session-start --config <MY_CONFIG_NAME>
  • Once a VPN session has started, you can list the active VPN session by running this command:

    openvpn3 sessions-list
  • To disconnect a VPN session:

    openvpn3 session-manage --config <MY_CONFIG_NAME> --disconnect
  • To start a VPN session using the openvpn2 script:

    openvpn2 --config Brandon.ovpn --verb 6

    Tip

    The openvpn2 is a Python script that partly "emulates" the classic OpenVPN.

Python 3 integration

The client ships with a Python 3 module and example scripts:

  • openvpn2

  • openvpn3-autoload

  • openvpn3-as

More examples are available in the source tree.

AWS VPC integration

  1. For AWS routing integration, install the AWS add-on:

    # Ubuntu/Debian
    apt install openvpn3-addon-aws
    
    # Fedora/RHEL/CentOS
    yum install openvpn3-addon-aws
  2. Then start the service:

    sudo systemctl enable openvpn3-aws.service

The service listens for VPN route changes and updates your AWS VPC route table.

Important

The openvpn3-service-aws requires AWS IAM role configuration. We recommend configuring it with AWS CloudFormation scripts. See the openvpn3-service-aws man page for details.

About DCO (data channel offload)

The OpenVPN 3 client can optionally use the ovpn-dco kernel module for improved performance.

  1. To start a VPN session with DCO:

    openvpn3 session-start --config <MY_CONFIG_NAME> --dco true
  2. Check if the module is installed:

    modinfo ovpn-dco-v2
  3. Check DKMS status:

    dkms status
    • If this only says the ovpn-dco module is added and not installed, or the installed kernel version doesn't match the running kernel version, there's a mismatch. Use this command to verify your running kernel version:

      uname -r

      Tip

      Ensure your host is current on kernel updates.

For advanced build and troubleshooting, refer to the dkms(8) man page.

Additional documentation and references

Limitations

Profile autoloading

OpenVPN 3 doesn't support --auth-user-pass with plain text files like OpenVPN 2.

OpenVPN 2 Linux clients allowed storing user credentials in a text-based file for starting a VPN connection. For specific use cases with OpenVPN 3 where this is still needed, find a workaround here: OpenVPN 3 Linux and --auth-user-pass.

Not using Access Server or CloudConnexa?

This page focuses on using OpenVPN 3 with OpenVPN Inc. products. If you're using OpenVPN 3 Linux with your own server or another VPN provider: