Open VPN3 Linux
Open VPN3 Linux
[[TOC]]
The [https://codeberg.org/OpenVPN/openvpn3-linux/ OpenVPN 3 Linux project] is a new
client built on top of the [https://github.com/OpenVPN/openvpn3/ OpenVPN 3 Core
Library], which is also used in the various OpenVPN Connect clients and OpenVPN for
Android (need to be enabled via the settings page in the app).
Even though the project name carries "Linux", it doesn't mean it is restricted to
Linux only. Any platform which has D-Bus available should be capable of running
this client in theory. But since D-Bus is most commonly used in Linux
environments, this will naturally be the primary focus for the project.
The release notes are stored in git tags in the project git repository. They can
also be viewed here: https://gitlab.com/openvpn/openvpn3-linux/-/tags
== Pre-built packages ==
With the release of OpenVPN 3 Linux v21, we will provide packages via different
software repositories. Users requiring production stable version should only use
the software repositories for stable releases. All the distributions targeting the
Enterprise Linux or Long-Term Stable releases will be available through this
channel. Other distributions may need to use the repositories for development/beta
releases. The stable versions will not have as frequent releases as the
development/beta releases.
Supported distributions:
||= **Distribution Vendor** =||= **Release** =||= **Release
name** (`DISTRIBUTION`) =||= **Architecture** =||
=**DCO support**=||= **Repositories** =||
|| Debian || 10 || buster
|| amd64, arm64 (*0) || - || Stable
||
|| Debian || 11 || bullseye
|| amd64, arm64 (*0) || - || Stable
||
|| Debian || 12 || bookworm
|| amd64, arm64 (*0) || yes || Stable
||
|| Fedora || 37, 38, Rawhide (*1) || -
|| aarch64 (*0), ppc64le, s390x, x86_64 || yes || Fedora Copr
(*2) ||
|| Red Hat Enterprise Linux / CentOS || 7 || -
|| ppc64le (*3), x86_64 || - || Stable,
Fedora Copr ||
|| Red Hat Enterprise Linux || 8 || -
|| aarch64 (*0), ppc64le (*3), s390x (*3), x86_64 || yes || Stable,
Fedora Copr ||
|| Red Hat Enterprise Linux || 9 || -
|| aarch64 (*0), ppc64le (*3), s390x (*3), x86_64 || yes || Stable,
Fedora Copr ||
|| Ubuntu (LTS) || 20.04 || focal
|| amd64, arm64 (*0) || yes || Stable
||
|| Ubuntu (LTS) || 22.04 || jammy
|| amd64, arm64 (*0) || yes || Stable
||
|| Ubuntu || 22.10 || kinetic
|| amd64, arm64 (*0) || yes || dev/beta
||
|| Ubuntu || 23.04 (*2) || lunar
|| amd64, arm64 (*0) || yes || dev/beta
||
|| Ubuntu || 23.10 (*2*) || mantic
|| amd64, arm64 (*0) || yes || dev/beta
(not yet released) ||
In many cases, the Red Hat Enterprise Linux packages will also work on Alma Linux
and Rocky Linux.
Replace the `DISTRIBUTION` part in the command below using the release name from
the table above to set up the apt source listing:
{{{
# echo "deb [signed-by=/etc/apt/keyrings/openvpn.asc]
https://packages.openvpn.net/openvpn3/debian DISTRIBUTION main"
>>/etc/apt/sources.list.d/openvpn3.list
}}}
{{{
# yum install https://packages.openvpn.net/openvpn-openvpn3-epel-repo-1-
1.noarch.rpm
}}}
Red Hat Enterprise Linux 7 and CentOS 7 must install this package instead:
{{{
# yum install https://packages.openvpn.net/openvpn-openvpn3-rhel7-repo-1-
1.noarch.rpm
}}}
=== __Fedora Copr repository__ - Fedora / Red Hat Enterprise Linux ===
This repository will have more frequent releases than the stable repository, but
packages from this repository will not have been through the same level of QA
testing before releases.
Ensure the `yum copr` or `dnf copr` functionality is installed and ready. Then
enable the Fedora Copr repository for OpenVPN 3 Linux:
{{{
# yum copr enable dsommers/openvpn3
}}}
Information about the old .deb package repository can be found here, where OpenVPN
3 Linux v20 and older can be found:
https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux?version=28
The OpenVPN Data Channel Offload (OpenVPN DCO) is a kernel module which can
accellerate the OpenVPN traffic throughput. OpenVPN 3 Linux uses the same kernel
module as OpenVPN 2.6.
For Debian and Ubuntu distributions, install the `openvpn-dco-dkms` package.
Fedora and Red Hat Enterprise Linux distributions need to install the `kmod-ovpn-
dco` package.
With this in installed, VPN sessions can be started with the Data Channel Offload
enabled. To test it on an existing configuration:
{{{
$ openvpn3 session-start --dco true --config CONFIG_NAME
}}}
To make this persistent each time, use the OpenVPN 3 Configuration Manager:
{{{
$ openvpn3 config-import --persistent --name CONFIG_NAME --config
/path/to/configuration/profile.ovpn
$ openvpn3 config-manager --show --name CONFIG_NAME --dco true
}}}
Then each time the VPN configuration is started, either via `openvpn3 session-
start` or the systemd `[email protected]` unit file, DCO will be enabled.
Please do verify that the log output does indicate that DCO has truly been enabled,
as it might be disabled on-the-fly if your configuration profile is not DCO
compliant.
A DCO compliant configuration profile cannot use compression features and must use
an AEAD based cipher (like AES-GCM or ChaCha20-Poly1305).
For users familiar with the classic OpenVPN 2.x command line, the `openvpn2` front-
end aims to be fairly close to old behaviour.
{{{
$ openvpn2 --config ${MY_CONFIGURATION_FILE} --verb 6
}}}
For more advanced usage, the `openvpn3` command line offers a lot more features.
Configuration profiles in OpenVPN 3 Linux are managed by a
[https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man/openvpn3-
service-configmgr.8.rst Configuration Manager] before the VPN session is started
via the [https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man/
openvpn3-service-sessionmgr.8.rst Session Manager]. The `openvpn3` utility gives
access to the features these manager services provides.
{{{
$ openvpn3 session-start --config ${MY_CONFIGURATION_FILE}
}}}
==== Importing a configuration file for re-use and starting a VPN session
Using this approach, an imported configuration file can be used several times and
access to the configuration file itself is not needed to start VPN tunnels. By
default, configuration profiles imported are only available to the user who
imported the configuration file. But OpenVPN 3 Linux also provides an Access
Control List feature via
[https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man/openvpn3-
config-acl.1.rst openvpn3 config-acl] to grant access to specific or all users on
the system.
{{{
$ openvpn3 config-import --config ${MY_CONFIGURATION_FILE}
}}}
This loads the configuration profile and stores it in memory-only. That means, if
the system is rebooted, the configuration profile is not preserved. If the `--
persistent` argument is added to the command line above, the configuration profile
will be saved to disk in a directory only accessible by the `openvpn` user.
Whenever the [https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/
man/openvpn3-service-configmgr.8.rst Configuration Manager] is started,
configuration files imported with `--persistent` will be automatically loaded as
well.
{{{
$ openvpn3 configs-list
}}}
A configuration file typically contains generic options to be able to connect to a
specific server, regardless of the device itself. OpenVPN 3 Linux also supports
setting more host-specific settings on a configuration profile as well. This is
handled via the
[https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man/openvpn3-
config-manage.1.rst `openvpn3 config-manage`] interface. Any settings here will
also be preserved across boots if the configuration profile was imported with the
`--persistent` argument.
{{{
$ openvpn3 session-start --config ${CONFIGURATION_PROFILE_NAME}
}}}
{{{
$ openvpn3 session-start --config-path /net/openvpn/v3/configuration/.........
}}}
{{{
$ openvpn3 sessions-list
}}}
Using the `openvpn3 session-manage` there are a few things which can be done, but
most typically it is the `--disconnect` or `--restart` alternatives which is most
commonly used.
{{{
$ openvpn3 session-manage --config ${CONFIGURATION_PROFILE_NAME} --restart
}}}
{{{
$ openvpn3 session-manage --session-path /net/openvpn/v3/sessions/..... --
disconnect
}}}
This command above will disconnect a running session. Once this operation has
completed, it will be removed from the `openvpn3 sessions-list` overview.
{{{
$ openvpn3 session-stats --config ${CONFIGURATION_PROFILE_NAME}
$ openvpn3 session-stats --session-path /net/openvpn/v3/sessions/.....
}}}
This might be quite silent, as it does not provide any log events from the past.
Issue an `openvpn3 session-manage --restart` from a different terminal, and log
events will occur. You may want to boost the log-level with `--log-level 6`.
Valid log levels are from 0 to 6, where 6 is the most verbose.
Note that the maximum log level is configured centrally. If you don't get more
output with higher log levels increase maximum log level first with
[https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man/openvpn3-
admin.8.rst `openvpn3-admin`] (note that this command needs to be executed as
root):
{{{
# openvpn3-admin log-service --log-level 6
}}}
VPN sessions are also owned by the user which started it. But the
[https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man/openvpn3-
service-sessionmgr.8.rst Session Manager] also provides its own Access Control List
feature via [https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/
man/openvpn3-session-acl.1.rst `openvpn3 session-acl`].
== Further information
* man pages:
- [https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man/
openvpn3-linux.7.rst.in openvpn3-linux](7) - Main overview
- [https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man/
openvpn3.1.rst openvpn3](1) - `openvpn3` command line interface
- [https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man/
openvpn2.1.rst openvpn2](1) - `openvpn2` command line interface which is similar to
the classic OpenVPN 2.x interface
- [https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man/
openvpn3-systemd.8.rst openvpn3-systemd](8) - Managing OpenVPN 3 Linux via systemd
`systemctl`
- [https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man More
man pages]