Ocserv features


First and second factor authentication. Authentication using PAM, Radius, password file, one time passwords (HOTP/TOTP), OpenID Connect, smart card, certificate authentication, and Kerberos with GSSAPI/SPNEGO.


Get client usage statistics via API or via the Radius accounting protocol.


Depend standard protocols only: TLS and Datagram TLS. The server key is protected by a software security module, and can further be protected by TPM, or by a hardware security module (HSM).


Support for IPv6 and IPv4 and collocation (port sharing) with an HTTPS server. Operate behind a proxy using the Proxy Protocol. Routes can be pushed from server to client and vice versa.


The number of connected clients and processing ability scales with the number of CPUs.

Control interface

Query for statistics and issue commands to the server. The occtl tool works interactively or as an API with JSON output.


Two concurrent VPN channels; the primary is over UDP/DTLS for performance, and the control+backup is over over TCP/TLS.

Resource limits

Set resource limits per client or groups of clients, in bandwidth, network priority, as well as confining clients in specific cgroups.

Client Isolation

Each client is isolated on a separate isolated (seccomp) process with a separate networking device and IP. The server has modular design using privilege separation from the client worker processes.