Protocol Compatibility

While OpenVPN has evolved quickly since its initial release in March 2002, all reasonable efforts have been made to preserve protocol compatibility across different OpenVPN versions.

Several changes, however, have been made since version 1.1.0 that could affect compatibility.

These notes assume that you are using OpenVPN 1.1.0 or later. Versions before 1.1.0 should be considered experimental.

In version 1.3.0, the default --udp-mtu was changed from 1500 to 1300. If you want a 1.3.0 or later version of OpenVPN to talk to a 1.1.x or 1.2.x version, you should explicitly use --udp-mtu on both sides of the connection rather than depending on defaults.

In version 1.5.x, the TLS-mode options string format was changed. This change will only affect you if you are using TLS-based security. Version 1.5.x is fully compatible with 1.4.x. Version 1.5.x can talk to 1.3.x, but you must use the --disable-occ flag on the 1.3.x peer. Version 1.5.x cannot talk with 1.2.x or earlier using TLS.

In version 1.5.x, if you are using a TAP-style tunnel, the following default is used to simplify the configuration of ethernet bridging: --tun-mtu 1500 --tun-mtu-extra 32. If you are bridging to a 1.4.x peer or earlier, you should explicitly state the preceding options on the 1.4.x peer.

In version 1.5.x, the Red Hat /etc/init.d/openvpn file has been changed to not enable IP forwarding by default (this was construed as being overly presumptuous for default behavior). IP forwarding can be easily enabled in a script or --up file with the command:

echo 1 > /proc/sys/net/ipv4/ip_forward

In version 1.5.x, --udp-mtu was renamed to --link-mtu since OpenVPN now supports both the UDP and TCP protocols for the tunnel transport layer. --udp-mtu will still be supported for compatibility.

In version 1.5.x, --verb 5 is now a debugging level. For normal usage, --verb 4 should be considered an upper bound.

In version 1.6.0 and up, the config file parser supports shell-escapes by preceding a character with a backslash. If you want to pass a backslash character itself, you must use two consecutive backslashes.

In version 2.0, --tun-mtu 1500 --mssfix 1450 is now the default. In 1.x the default is --link-mtu 1300 for tun interfaces and --tun-mtu 1500 for tap interfaces, with --mssfix disabled).

Also in verson 2.0, when using TLS, --key-method 2 is now the default. Use --key-method 1 on the 2.0 side to communicate with 1.x.

Starting with version 2.0-beta12, OpenVPN has adopted a consistent approach to string remapping to prevent trusted or semi-trusted peers from sending maliciously crafted strings. The details are discussed in the String Types and Remapping section of the man page.

Starting with version 2.0-beta17, OpenVPN's default port number has been changed from 5000 to 1194 per an official port assignment by IANA in November 2004.