Authentication
First and second factor authentication. Authentication using PAM, Radius, password file,
one time passwords (HOTP/TOTP), OpenID Connect tokens, smart card, certificate authentication,
and Kerberos with GSSAPI/SPNEGO.
|
Accounting
Get client usage statistics via API or via the Radius accounting protocol. |
Security
Depend standard protocols only: TLS and Datagram TLS.
The server key is protected by a software security module, and can further be protected by TPM, or by a hardware security module (HSM).
|
Networking
Support for IPv6 and IPv4 and collocation (port sharing) with an
HTTPS server. The server can operate behind a proxy using the Proxy Protocol. Routes can be
pushed from server to client as well as pre-configured routes can be pushed from the client to server.
|
Scalability
The number of connected clients and processing ability scales with the number of CPUs.
|
Control interface
Query for statistics and issue commands to the server. The 'occtl' tool works interactively or as an API with output in JSON format.
|
Performance and Reliability
Supports two concurrent VPN channels; the primary is over UDP/DTLS for performance, and the control+backup is over over TCP/TLS.
|
Resource limits
Set resource limits per client or groups of clients, in bandwidth, network priority, as well as confining clients in specific cgroups.
|
Client Isolation
Each client is isolated on a separate process with system calls filtered (seccomp) and is given a separate Linux networking device and IP. The server has modular design, with the main server process being isolated using privilege separation from the client worker processes. Clients can be restricted to the allowed routes using firewall rules (experimental).
|