Features

Authentication

First and second factor authentication. Authentication using PAM, Radius, password file, one time passwords (HOTP/TOTP), OpenID Connect tokens, smart card, certificate authentication, and Kerberos with GSSAPI/SPNEGO.

Accounting

Get client usage statistics via API or via the Radius accounting protocol.

Security

Depend standard protocols only: TLS and Datagram TLS. The server key is protected by a software security module, and can further be protected by TPM, or by a hardware security module (HSM).

Networking

Support for IPv6 and IPv4 and collocation (port sharing) with an HTTPS server. The server can operate behind a proxy using the Proxy Protocol. Routes can be pushed from server to client as well as pre-configured routes can be pushed from the client to server.

Scalability

The number of connected clients and processing ability scales with the number of CPUs.

Control interface

Query for statistics and issue commands to the server. The 'occtl' tool works interactively or as an API with output in JSON format.

Performance and Reliability

Supports two concurrent VPN channels; the primary is over UDP/DTLS for performance, and the control+backup is over over TCP/TLS.

Resource limits

Set resource limits per client or groups of clients, in bandwidth, network priority, as well as confining clients in specific cgroups.

Client Isolation

Each client is isolated on a separate process with system calls filtered (seccomp) and is given a separate Linux networking device and IP. The server has modular design, with the main server process being isolated using privilege separation from the client worker processes. Clients can be restricted to the allowed routes using firewall rules (experimental).