openvpn

open-source VPN solution using SSL/TLS for key exchange

TLDR

Connect using config file

$ sudo openvpn --config [client.ovpn]

Connect with authentication file

$ sudo openvpn --config [client.ovpn] --auth-user-pass [credentials.txt]

Start as daemon

$ sudo openvpn --config [client.ovpn] --daemon

Generate static key

$ openvpn --genkey secret [static.key]

Test config without connecting

$ openvpn --config [client.ovpn] --verb 3 --pull

Show version and compile options

$ openvpn --version

SYNOPSIS

openvpn [--config file] [--remote host] [--dev tun|tap] [--ca file] [--cert file] [--key file] [options]

OpenVPN is an open-source VPN solution using SSL/TLS for key exchange. It can create secure point-to-point or site-to-site connections, operating over UDP or TCP.
Two modes exist: routed (TUN) and bridged (TAP). TUN mode creates point-to-point IP tunnels, efficient for most VPN needs. TAP mode bridges Ethernet frames, required for non-IP protocols.
Configuration typically uses .ovpn files containing all connection parameters. These files can embed certificates or reference external files. Commercial VPN providers distribute pre-configured .ovpn files.
Security features include: certificate-based authentication, perfect forward secrecy, HMAC packet authentication, and optional username/password verification. TLS-auth adds an additional HMAC layer for DoS protection.
Client and server modes use the same binary. Server configurations include routing, client management, and multi-client handling. Scripts can execute on connection events for dynamic routing and firewall rules.

PARAMETERS

--config file

Read configuration from file.

--remote host [port]

Remote VPN server address.

--port num

Local and remote port number.

--dev type

TUN/TAP device type (tun, tap).

--proto proto

Protocol: udp, tcp-client, tcp-server.

--ca file

Certificate authority file.

--cert file

Local certificate file.

--key file

Local private key file.

--auth-user-pass [file]

Username/password authentication.

--tls-auth file [direction]

HMAC authentication on control channel.

--cipher alg

Encryption cipher.

--auth alg

HMAC digest algorithm.

--compress [alg]

Compression algorithm.

--daemon [name]

Daemonize after initialization.

--log file

Log to file.

--verb level

Verbosity level (0-11).

--ping n

Ping remote every n seconds.

--ping-restart n

Restart if no ping response in n seconds.

--script-security level

Script execution policy.

CAVEATS

Requires root/administrator for TUN/TAP creation. Firewalls must allow VPN traffic. Certificate management adds complexity. Performance depends on cipher choice and hardware. MTU issues can cause connectivity problems. Some networks block OpenVPN signatures.

HISTORY

OpenVPN was created by James Yonan and first released in 2001. It was designed as an open-source alternative to IPsec, using standard TLS for the control channel. The project has become one of the most widely deployed VPN solutions, used by both commercial providers and enterprises. OpenVPN 3 introduced a new core library in C++.