- Supports password authentication:
- Password file
- One time passwords (HOTP/TOTP)
- Public key (certificate) authentication.
- GSSAPI/SPNEGO (e.g., Kerberos) authentication.
- Allows for combined authentication methods to achieve 2FA.
- Reports client usage statistics either to custom applications or via the Radius accounting
- Privilege separation between the authentication process and the worker
processes. Each client is isolated on a separate process, with a separate
networking device and IP.
- Support for the server key being stored in TPM, a hardware security module (HSM), or
a smart card.
- Private keys are protected by a software security module by
- Supports two concurrent VPN channels; the primary is over UDP (and
Datagram TLS), and the control+backup is over over TCP (and TLS 1.2).
- Support for IPv6 and IPv4.
- Support for setting resource limits per client or groups of clients,
in bandwidth, network priority, as well as confining clients in specific cgroups
- Support for collocation (port sharing) with an
- Support for operation behind a proxy using the Proxy Protocol.
- Support for route pushing from server to client as well as for
(pre-configured) routes to be pushed from the client to server.
- Support for restricting (firewalling) clients to the allowed routes (experimental
and Linux-only for now).
- Processing ability scales with the number of CPUs.
- Support for optional stateless compression (see also technical
- Administrative interface:
- Includes the 'occtl' tool to query and issue commands to the server.