Provided by: openvpn3-client_24+dfsg-1_amd64 
NAME
openvpn3-linux - OpenVPN 3 Linux Overview
DESCRIPTION
OpenVPN 3 Linux is an OpenVPN platform which builds on capabilities available on newer Linux
distributions. Compared to the more classic OpenVPN 2.x generation, OpenVPN 3 Linux covers many more
aspects of the VPN configuration and session life-cycle.
To quickly compare them, OpenVPN 2.x is a single process which is responsible for a single VPN session.
There are no configuration or session management in OpenVPN 2.x itself, it depends on the systemd
openvpn-client@.service and openvpn-server@.service unit files, the Network Manager OpenVPN plug-in or
other third-party management tools.
OpenVPN 3 Linux provides full configuration and session management in addition to the VPN tunnel itself.
For example, it has built in privilege separation and execution models, for improved process security.
This allows unprivileged users to start their own VPN sessions and manage them themselves. VPN
configuration files can be shared with other users on the system or kept private.
Through this privilege separation model, network configuration aspect of the VPN tunnel is split out into
its own process which runs with as few privileges as possible. In practice that means it can only to
network configuration changes. This network configuration service is also capable of setting up the DNS
resolver out-of-the-box. For OpenVPN 2.x to do that, it would need to run additional scripts or use
specific plug-ins to trigger such updates on the system.
With this architecture, OpenVPN 3 Linux is split up into several services running independently of each
other. These services are referred to as backend services. The interaction with these services happens
through what is referred to as a user front-end.
USER FRONT-ENDS
There are several user front-ends tools which is used to interact with the various components of OpenVPN
3 Linux.
• openvpn2
This aims to be fairly similar to the more classic openvpn(8) command line, with the exception that it
only processes client related options.
• openvpn3
This is the main utility for managing all the features available in OpenVPN 3 Linux and has a different
user interface than openvpn2(1) or openvpn(8). On systems with the bash-completion integration
installed, almost every command, option and argument used by openvpn3 will get auto-completion help.
• openvpn3-admin
This utility is mostly targeting system administrators and provides interfaces to do some management of
the various OpenVPN 3 D-Bus services. See openvpn3-admin(8) for more details.
• openvpn3-session@.service (openvpn3-systemd)
VPN sessions can be started and managed directly via systemctl(1) by using the
openvpn3-session@.service service unit. This also enables VPN sessions to be started automatically
during system boot. This service unit uses a helper utility, openvpn3-systemd(1) which works as a glue
layer between the OpenVPN 3 Linux services and systemd
In addition, a Python 3 module is also available making it possible to write your own OpenVPN 3
front-ends with little extra efforts. Both openvpn2 and openvpn3-systemd are Python 3 scripts which
makes use of this OpenVPN 3 Python module.
OPENVPN 3 D-BUS SERVICES
The front-end interfaces talks to services which are started automatically when needed and usually stops
running if they are not in use. There are several services, where each service only is responsible for a
fairly small set of features.
• Configuration Manager (openvpn3-service-configmgr)
This provides a service which only takes care of managing VPN configuration profiles for all users on
the system. It has a built in Access Control List mechanism, which ensures only users granted access
can access the information they need.
D-Bus name: net.openvpn.v3.configuration
• Session Manager (openvpn3-service-sessionmgr)
This service takes care of managing running OpenVPN sessions on the system. This has also its own set
of Access Control List mechanisms, where users on the system can be granted access to VPN sessions
started by other users. The default behaviour is to only let the user starting a VPN session manage
and access it.
D-Bus name: net.openvpn.v3.sessions
• VPN Client Backend (openvpn3-service-client)
This is the core VPN client. There will be running one such process per active VPN session.
D-Bus name: net.openvpn.v3.backends.be${PID}
• VPN Backend Starter (openvpn3-service-backendstart)
This is a helper service which is used by the Session Manager to start a new VPN backend service. When
a client profile is requested started, it will start an openvpn3-service-client process per VPN
session.
D-Bus name: net.openvpn.v3.backends
• Network Configuration (openvpn3-service-netcfg)
This is the most privileged D-Bus service, and is used by the Backend VPN Client processes. This is
responsible for creating and manage virtual network interfaces, configure IP addresses, routes in
addition to handling the DNS setup.
D-Bus name: net.openvpn.v3.netcfg
• Logging (openvpn3-service-log)
This is responsible to receive log events from all the services above and ensure they get logged
properly. Whether that is to a terminal, a log file or syslog, depends on the configuration. The
default is to start this service using the syslog integration.
D-Bus name: net.openvpn.v3.log
All of these services above are D-Bus services which is available on the system bus. They are all
automatically started when needed.
D-BUS POLICY
D-Bus enforces usage of a policy which defines who can access which D-Bus service and which features,
objects and properties provided by a D-Bus service.
The default OpenVPN 3 Linux policy is placed in several files prefixed net.openvpn.v3 in
/usr/share/dbus-1/system.d. The default policy provided by OpenVPN 3 Linux allows all users on the
system to load, start and manage their own OpenVPN configuration profiles and VPN sessions.
All the D-Bus services will start automatically when their services are requested by a front-end. Each
service has their own D-Bus service definition, which can be found in
/usr/share/dbus-1/system-services/net.openvpn.v3.*.service.
When an OpenVPN 3 Linux D-Bus service has been idle for a certain time and it does not need to preserve
any data kept in memory, it will automatically stop running. See the man page for each service to see
default idle time.
COMPATIBILITY WITH OPENVPN 2.X
OpenVPN 3 is mostly compatible with most of the client options found in OpenVPN 2.x. But there are some
important details where it differs.
• No TAP support
OpenVPN 3 does not support TAP interfaces, only TUN interfaces. This is by design, as all OS platforms
which provides a VPN API (Apple iOS, macOS, Android, Microsoft Universal Windows Platform) does only
support TUN interfaces.
• --fragment is not supported
While the use-cases for this feature is acknowledged, it is not considered an easy feature to implement
and it is being worked on alternatives which gives a reasonably equivalent user experience without
using --fragment where this will be automatically configured. If it turns out an alternative approach
is impossible, this feature might be implemented in the end.
• Currently no PKCS#11 support
This is a bigger task which will be worked on later, but it will attempt to integrate better on the
overall Linux platform instead of providing an OpenVPN specific implementation.
These are the most obvious features users will notice. This list might be extended as we receive more
feedback.
SEE ALSO
openvpn2(1) openvpn3(1) openvpn3-admin-init-config(8) openvpn3-service-backendstart(8)
openvpn3-service-client(8) openvpn3-service-configmgr(8) openvpn3-service-log(8)
openvpn3-service-netcfg(8) openvpn3-service-sessionmgr(8) openvpn3-systemd(8)
OPENVPN3-LINUX(7)