The OpenVPN 3 Linux client is the next generation client on Linux which utilizes features provided in modern Linux distributions. It can be used by unprivileged users, handles DNS configuration out-of-the-box, and provides features for improved access control of VPN configuration profiles as well as running VPN sessions. Its integration possibilities can be extended using additional add-on modules, like providing an automated AWS VPC integration.
For advanced users, it provides an easy-to-use programming interface built on D-Bus to control VPN configuration profiles and sessions programmatically. It also ships with a Python 3 module which can be used to quickly write your own management tools.
OpenVPN 3 Linux builds on the same OpenVPN 3 Core library which is also used by our official OpenVPN Connect clients.
Frequently Asked Questions
The DCO (Data Channel Offload) feature that can speed up OpenVPN connections is currently under heavy development and released as a tech-preview and is not yet considered suitable for production.
This feature depends on the ovpn-dco kernel module.
[root@host ~]# modinfo ovpn-dco
This command should return information about the kernel module.
[root@host ~]# dkms status
If this only says the `ovpn-dco` module is `added` and not `installed` or the installed kernel version does not match the running kernel version, there is a mismatch between the kernel version the ovpn-dco module is built for and the currently running kernel.
The best way to resolve this is to always ensure your host is up-to-date with kernel updates and has been rebooted into this kernel.
Yes. It ships with a tool called ‘openvpn3-as’ which can be used to automatically download the VPN configuration profile from an OpenVPN Access Server.
From your Linux with the OpenVPN 3 Linux client installed, enter the command:
The tool will then prompt you for the username and password for the user you’ve set up in Access Server for this client.
OpenVPN Access Server Username: john.doe OpenVPN Access Server Password: [input hidden]
After authenticating, you will see a message that the profile imported successfully:
Profile imported successfully Configuration name: AS:your-access-server Configuration path: /net/openvpn/v3/configuration/5bf…
With this completed successfully, the profile is now stored on this host. It is only accessible for the user account who did this import step.
To start a new VPN session to the OpenVPN Access Server:
openvpn3 session-start --config AS:your-access-server
Please refer to the documentation for ‘openvpn3 config-acl’ and ‘openvpn3 session-acl’.
Yes. The ‘openvpn2’, ‘openvpn3-autoload’ and ‘openvpn3-as’ commands are all Python scripts which facilitate this Python 3 module. More examples can also be found in the source tree.
First, you must install the ‘openvpn3-addon-aws’ package. This service must run before any VPN sessions are started. This ships with a comprehensive man-page for the ‘openvpn3-service-aws’.
apt install openvpn3-addon-aws
yum install openvpn3-addon-aws
When the ‘openvpn3-service-aws’ service is running, it will be notified of route changes coming from running VPN sessions. These route changes are then propagated to the AWS VPC routing table.
Important note regarding this service:
The ‘openvpn3-service-aws’ service depends on AWS role references. We recommend using AWS CloudFormation scripts to configure it. Please read the man page carefully on how to do this. It also includes AWS CloudFormation and related configuration examples.
All openvpn3 related commands and the complete OpenVPN 3 Linux stack ships with a vast amount of man pages. A good starting point is probably the openvpn3-linux(7) man page. For the complete overview, have a look at our git repository.
Yes. You can use any programming language providing D-Bus integration. For shell scripting languages, you need to use helper tools like ‘dbus-send’, ‘busctl’, ‘gdbus’ and similar tools. For an overview of the D-Bus services available, have a look at this service overview documentation.
OpenVPN 2 Linux clients allow for user credentials to be stored in a text-based file and used to start a VPN connection. With OpenVPN 3 Linux, this is now unsupported. We know, however, that there are specific use cases where it may still be needed. For those, please refer to this documentation, OpenVPN 3 Linux and --auth-user-pass, on how to set up a workaround.