The ovpn kernel module is part of the Linux kernel starting from version 6.16. It enhances OpenVPN performance by offloading data channel management to the kernel. This repository contains out-of-tree backports for the ovpn kernel module, enabling its use with older kernel versions.
The repository consists of two main branches:
main: tracks the latest code from thenet-nexttree.net: tracks the latest code from thenettree.
Additionally, there are two branches dedicated to development and testing, which may contain code not yet part of any official kernel tree:
development: code built on top of thenet-nexttree.development-net: code built on top of thenettree.
Finally, there are four corresponding branches for pre-patched sources:
sources: pre-patched sources formain.net-sources: pre-patched sources fornet.development-sources: pre-patched sources fordevelopment.development-net-sources: pre-patched sources fordevelopment-net.
You can download packages from the OpenVPN OBS repository.
A pre-patched version of the source files is available for download in the tags section of this repository. Generally, you’ll want to download the packages containing either 'main' or 'net' in the name, as these track the 'net-next' and 'net' trees, respectively (see branch structure).
After downloading and ensuring the kernel headers are installed, simply run make && make install to build and install the module.
Another way to download the pre-patched sources is to clone the repository and check out a branch containing sources in the name (see branch structure). Then, after ensuring the kernel headers are installed, simply run make && make install to build and install the module.
To build the module, you need the kernel headers (or sources) and the ovpn source files. You can either compile the module against your currently running kernel (by ensuring the headers are installed) or against a different kernel version by providing the appropriate path to the kernel sources.
The first step is to get the latest ovpn sources through the utility script backports-ctl.sh:
./backports-ctl.sh get-ovpnBe aware that this command temporarily downloads a full kernel tree, extracts the ovpn files from it, and applies patches. If you want the kernel repository to persist, run the command with the --keep (or -k) option. This option keeps the repository in the kernel directory as a shallow copy, and subsequent runs will simply update it.
Additionally you can restore the repository to its original state with:
./backports-ctl.sh cleanTo build the ovpn kernel module, just type:
makein the root folder. The Makefile will autodetect your running kernel and will try to use its headers to get the code compiled.
To include debugging symbols in the module, you can run:
make debug # or make DEBUG=1If you want to build ovpn against a kernel different from the one running on the host, run:
make KERNEL_SRC=/path/to/the/kernel/treeThe control is passed to the kernel Makefile, therefore any kernel Makefile argument can be specified on the command line and it will be passed automatically. Once done building, executing the command:
make installwill install the ovpn.ko kernel module in the updates/ subfolder of the kernel modules directory on your system. It normally means /lib/modules/$(uname -r)/updates/.
NOTE: If Secure Boot is enabled, you need to sign the module before loading it. Check this tutorial on how to sign a custom kernel module.
Alongside the source files, the tests/ovpn-cli directory contains kernel selftests and the handy ovpn-cli tool. To compile it, simply run make ovpn-cli from the root directory of the repository.
This tool is essential for executing selftests and is also useful for debugging. You can explore its capabilities by running ./ovpn-cli.
The module was compiled and tested on the following distributions:
- Ubuntu 20.04, 22.04, 24.04
- Debian 11, 12
- RHEL 8, 9, 10
- openSUSE Tumbleweed/Slowroll
- openSUSE SLE 15