OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.

OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it.

OpenVPN supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels.

OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms.

Overall, OpenVPN aims to offer many of the key features of IPSec but with a relatively lightweight footprint.

What can I use OpenVPN for?

  • Tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port,
  • Configure a scalable, load-balanced VPN server farm using one or more machines which can handle thousands of dynamic connections from incoming VPN clients,
  • Use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic as it transits the internet,
  • Use any cipher, key size, or HMAC digest (for datagram integrity checking) supported by the OpenSSL library,
  • Choose between static-key based conventional encryption or certificate-based public key encryption,
  • Use static, pre-shared keys or TLS-based dynamic key exchange,
  • Use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization,
  • Tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients,
  • Tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules,
  • Tunnel networks over NAT,
  • Create secure ethernet bridges using virtual tap devices, and
  • Control OpenVPN using a GUI on Windows or Mac OS X.

How do I set up OpenVPN?

  • Download OpenVPN for your operating system
  • Execute the download file to install the client on your computer
  • Input url for OpenVPN server or drag and drop config file (you can try VPNBook)

What is the difference between OpenVPN and OpenVPN Connect?

OpenVPN is open source, completely free, and supported by the community. OpenVPN Connect is the commercial implementation of OpenVPN. OpenVPN Connect has a free version but this version is limited to two connections. Both have a similar GUI.

Is OpenVPN free?

Yes, OpenVPN is free and open source. It does require some configuring, but ultimately it has no cost for the user.

What's New

Security fixes:

  • openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of --dns config entries plus local DNS config could lead to corruption of pre-openvpn DNS config (CVE-2026-13379)
  • Bug found by 章鱼哥 (www.aipyaipy.com).
  • Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets (CVE-2026-12996)

Bug found by multiple researchers:

  • 章鱼哥 (www.aipyaipy.com)
  • Haiyang Huang
  • Haruki Oyama (Waseda University)

Fix use-after-free bug in tls_wrap_reneg(), triggerable by suitable sequence of dynamic tls-crypt control-channel packets (CVE-2026-13117)

Bug found by multiple researchers:

  • Trace37 Labs (github.com/trace37labs)
  • Haiyang Huang

Fix server crash on reception of suitably malformed auth-token, if --auth-gen-token external-auth is active (CVE-2026-13122)

Bug found by Haiyang Huang.

  • Fix memory-leak in tls-crypt-v2 client key handling that could lead to out-of-memory situations and subsequent server crashes (CVE-2026-12932)
  • Bug found by Valton Tahiri.
  • Fix possible 1-byte buffer overrun on NTLMv2 proxy responses. (CVE-2026-11771)
  • Bug found by Tristan Madani (@TristanInSec).
  • Fix another memory leak on reception of suitable tls-crypt-v2 packets that could lead to an out of memory situation and server crash (CVE-2026-13698)
  • Bug found by Max Fillinger. Overlaps with a report from Valton Tahiri that we believe to

be fixed by this bugfix as well.

Bugfixes:

  • Windows: fix plugin trusted-dir check prefix bypass (this fixes a bug in the path checking logic we do on Windows for "is loading a plugin from this path allowed?", but since we could not find a way to exploit this unless starting with admin privs or a social engineering attack, not classified as a security fix)
  • Windows: openvpnserv: rework ConvertItfDnsDomains and tests (this fixes a buffer overread that is not exploitable and as such
  • not classified as security fix)
  • options: fix use-after-free of DNS options on client connect (using suitable --dns or --dhcp-option DNS options in a server
  • config - not pushed, but applying to the server itself - triggers a double free() and use-after-free condition, possibly crashing the server) (Github: OpenVPN/openvpn#1060)
  • dns: Fix memory leak in dns_server_addr_parse, if too many server addresses are configured (Github: OpenVPN/openvpn#1055)
  • improve multi-socket event handling further - multiple open UDP sockets with concurrent traffic could lead to inefficient processing, and the old code was also very hard to follow.
  • (This was initially triggered by a report from Joshua Rogers using ZeroPath, but turned out to be "just bad code" not a security vulnerability)
  • Null-terminate tls-crypt client keys when testing - non-exploitable strlen() on a buffer that is not null-terminated
  • mudp: send HMAC reset reply synchronously this fixes a bug where multiple incoming tls-crypt-v2 RESET packets on different sockets could end up overwriting each other's control structures, leading to initial handshake packets (HMAC reset reply)
  • being sent to the wrong client IP, or on a non-suitable socket ("v4 packet on a v6 socket"). Since the overall flow here is stateless
  • by nature, do not artificially create state by creating elaborate queues, just send-or-drop.
  • fix port-share and multi-socket interaction - port-share needs TCP listeners, but the check was wrong. So "as long as any of the listening sockets is TCP, port-share can be used" (Github: OpenVPN/openvpn#1027)
  • Ensure pushed tun-mtu is no lower than TUN_MTU_MIN - this fixes a bug where a server can push a suitable combination of options and make the client ASSERT().
  • (Reported as security issue by Haiyang Huang, but it was decided that the server always has means to make the client "not function properly", and it can not be exploited beyond that)
  • Windows: socket: assert buffer length before reading prepended sockaddr family - a misbehaviour in the windows DCO driver could trigger an overread in the userland client. No such bug exists, which this was not treated as a security vulnerability

Documentation improvements:

  • improve documentation for --float (Github: OpenVPN/openvpn#358)
  • add documentation for --preresolve (Github: OpenVPN/openvpn#532)
  • impove documentation around DNS config (Github: OpenVPN/openvpn#937)

The OpenVPN community project team is proud to release OpenVPN 2.7_alpha1. This is the first Alpha release for the feature release 2.7.0. As the Alpha name implies this is an early release build, this is not intended for production use.

Highlights of this release include:

  • Multi-socket support for servers – Handle multiple addresses/ports/protocols within one server
  • Improved Client support for DNS options
    • Client implementations for Linux/BSD, included with the default install
    • New client implementation for Windows, adding support for features like split DNS and DNSSEC
  • Architectural improvements on Windows
    • The block-local flag is now enforced with WFP filters
    • Windows network adapters are now generated on demand
    • Windows automatic service now runs as an unprivileged user
    • Support for server mode in win-dco driver
    • Note: Support for the wintun driver has been removed. win-dco is now the default, tap-windows6 is the fallback solution for use-cases not covered by win-dco.
  • Improved data channel
    • Enforcement of AES-GCM usage limit
    • Epoch data keys and packet format
  • Support for new upstream DCO Linux kernel module
  • This release supports the new ovpn DCO Linux kernel module which will be available in future upstream Linux kernel releases. Backports of the new module to current kernels are available via the ovpn-backports project.

For details see Changes.rst

Windows MSI changes since 2.6.15:

  • Built against OpenSSL 3.5.0
  • Included openvpn-gui updated to 11.53.0.0
  • Support for webauth in PLAP (Pre-Logon Access Provider) via QR code (github openvpn-gui#687)

OpenVPN 2.6.14

Security fixes:

  • CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2 Security scope: OpenVPN servers between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abort with an ASSERT() message by sending a particular combination of authenticated and malformed packets. To trigger the bug, a valid tls-crypt-v2 client key is needed, or network observation of a handshake with a valid tls-crypt-v2 client key. No crypto integrity is violated, no data is leaked, and no remote code execution is possible. This bug does not affect OpenVPN clients. (Bug found by internal QA at OpenVPN Inc)

Windows MSI changes since 2.6.13:

  • Built against OpenSSL 3.4.1
  • Included openvpn-gui updated to 11.52.0.0
  • Use correct %TEMP% directory for debug log file.
  • Disable config in menu listing if its ovpn file becomes inaccessible (github openvpn-gui#729)

Previous release notes

Security fixes:

  • CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a malicious process with "some" elevated privileges (SeImpersonatePrivilege) could open the pipe a second time, tricking openvn GUI into providing user credentials (tokens), getting full access to the account openvpn-gui.exe runs as. (Zeze with TeamT5)
  • CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. (Reynir Björnsson)
  • CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client (Reynir Björnsson)

New features:

  • Windows Crypto-API: Implement Windows CA template match for searching certificates in windows crypto store.
  • Support pre-created DCO interface on FreeBSD (OpenVPN would fail to set ifmode p2p/subnet otherwise)

Bug fixes:

  • Fix connect timeout when using SOCKS proxies (trac #328, github #267)
  • Work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers (LibreSSL bug, already fixed upstream, but not backported to OpenBSD 7.5, see also LibreSSL/OpenBSD#150)
  • Add bracket in fingerprint message and do not warn about missing verification (github #516)

Documentation:

  • Remove "experimental" denotation for --fast-io
  • Correctly document ifconfig_* variables passed to scripts
  • Documentation: make section levels consistent
  • Samples: Update sample configurations (remove compression & old cipher settings, add more informative comments)

Windows MSI changes since 2.6.10:

  • For the Windows-specific security fixes see above
  • Built against OpenSSL 3.3.1
  • Included openvpn-gui updated to 11.49.0.0
  • Contains part of the fix for CVE-2024-4877