Password authentication using PAM, Radius, password file, one time passwords (HOTP/TOTP), OpenID Connect (oidc - RFC6750) tokens, smart card and certificate authentication, Kerberos with GSSAPI/SPNEGO. Combine authentication methods to achieve 2FA.


Get client usage statistics either to custom applications or via the Radius accounting protocol.


The server's security depends on standards protocols only; TLS and Datagram TLS. The server key can be protected by TPM, or by a hardware security module (HSM), and by default by a software security module.


Support for IPv6 and IPv4 and collocation (port sharing) with an HTTPS server. The server can operate behind a proxy using the Proxy Protocol. Routes can be pushed from server to client as well as pre-configured routes can be pushed from the client to server.


The number of connected clients and processing ability scales with the number of CPUs. Stateless compression can be used to reduce bandwidth (see technical info).

Control interface

The 'occtl' tool allows to query and issue commands to the server; works interactively or it can output in JSON format.

Performance and Reliability

Supports two concurrent VPN channels; the primary is over UDP/DTLS for performance, and the control+backup is over over TCP/TLS.

Resource limits

Set resource limits per client or groups of clients, in bandwidth, network priority, as well as confining clients in specific cgroups.

Client Isolation

Each client is isolated on a separate process with system calls filtered (seccomp) and is given a separate Linux networking device and IP. The server has modular design, with the main server process being isolated using privilege separation from the client worker processes. Clients can be restricted to the allowed routes using firewall rules (experimental).