1Since 2.4.0, OpenVPN has official support for elliptic curve crypto. Elliptic
2curves are an alternative to RSA for asymmetric encryption.
4Elliptic curve crypto ('ECC') can be used for the ('TLS') control channel only
5in OpenVPN; the data channel (encrypting the actual network traffic) uses
6symmetric encryption. ECC can be used in TLS for authentication (ECDSA) and key
9Key exchange (ECDH)
11OpenVPN 2.4.0 and newer automatically initialize ECDH parameters. When ECDSA is
12used for authentication, the curve used for the server certificate will be used
13for ECDH too. When autodetection fails (e.g. when using RSA certificates)
14OpenVPN lets the crypto library decide if possible, or falls back to the
17An administrator can force an OpenVPN/OpenSSL server to use a specific curve
18using the --ecdh-curve <curvename> option with one of the curves listed as
19available by the --show-curves option. Clients will use the same curve as
20selected by the server.
22Note that not all curves listed by --show-curves are available for use with TLS;
23in that case connecting will fail with a 'no shared cipher' TLS error.
27Since OpenVPN 2.4.0, using ECDSA certificates works 'out of the box'. Which
28specific curves and cipher suites are available depends on your version and
29configuration of the crypto library. The crypto library will automatically
30select a cipher suite for the TLS control channel.
32Support for generating an ECDSA certificate chain is available in EasyRSA (in
33spite of it's name) since EasyRSA 3.0. The parameters you're looking for are
34'--use-algo=ec' and '--curve=<curve_name>'. See the EasyRSA documentation for
35more details on generating ECDSA certificates.
1Since 2.3.0, OpenVPN officially supports IPv6, and all widely used
2patches floating around for older versions have been integrated.
4IPv6 payload support
7This is for "IPv6 inside OpenVPN", with server-pushed IPv6 configuration
8on the client, and support for IPv6 configuration on the tun/tap interface
9from within the openvpn config.
11The code in 2.3.0 supersedes the IPv6 payload patches from Gert Doering,
12formerly located at http://www.greenie.net/ipv6/openvpn.html
15The following options have been added to handle IPv6 configuration,
16analogous to their IPv4 counterparts (--server <-> --server-ipv6, etc.)
18 - server-ipv6
19 - ifconfig-ipv6
20 - ifconfig-ipv6-pool
21 - ifconfig-ipv6-push
22 - route-ipv6
23 - iroute-ipv6
25see "man openvpn" for details how they are used.
29IPv6 transport support
32This is to enable OpenVPN peers or client/servers to talk to each other
33over an IPv6 network ("OpenVPN over IPv6").
35The code in 2.3.0 supersedes the IPv6 transport patches from JuanJo Ciarlante,
36formerly located at http://github.com/jjo/openvpn-ipv6
38OpenVPN 2.4.0 includes a big overhaul of the IPv6 transport patches
39originally implemented for the Android client (ics-openvpn)
41IPv4/IPv6 transport is automatically is selected when resolving addresses.
42Use a 6 or 4 suffix to force IPv6/IPv4:
44 --proto udp6
45 --proto tcp4
46 --proto tcp6-client
47 --proto tcp4-server
48 --proto tcp6 --client / --proto tcp6 --server
50On systems that allow IPv4 connections on IPv6 sockets
51(all systems supporting IPV6_V6ONLY setsockopt), an OpenVPN server can
52handle IPv4 connections on the IPv6 socket as well, making it a true
53dual-stacked server. Use bind ipv6only to disable this behaviour.
55On other systems, as of 2.3.0, you need to run separate server instances
56for IPv4 and IPv6.
1This version of OpenVPN has PolarSSL support. To enable follow the following
4To Build and Install,
6 ./configure --with-crypto-library=polarssl
8 make install
10This version depends on PolarSSL 1.3 (and requires at least 1.3.3).
14Due to limitations in the PolarSSL library, the following features are missing
15in the PolarSSL version of OpenVPN:
17 * PKCS#12 file support
18 * --capath support - Loading certificate authorities from a directory
19 * Windows CryptoAPI support
20 * X.509 alternative username fields (must be "CN")
24 * X.509 subject line has a different format than the OpenSSL subject line
25 * X.509 certificate export does not work
26 * X.509 certificate tracking