Operational modes overview
OpenVPN can operate in two distinct modes defined insrc/openvpn/openvpn.c:303:
Point-to-point mode
Point-to-point (P2P) mode creates a single tunnel between two peers. This is the simpler of the two modes and is ideal for connecting two specific endpoints.Characteristics
- Use cases
- Configuration
- Implementation
Best suited for:
- Site-to-site VPN connections
- Simple two-endpoint tunnels
- Scenarios where the tunnel should not interfere with overall routing
- “Dumb” tunnel behavior similar to GRE
P2P mode is useful when you want the OpenVPN tunnel to behave more like a traditional point-to-point link without complex routing interactions.
P2P mode with TLS
When using TLS in P2P mode, both peers perform mutual authentication:- Each peer verifies the other’s certificate
- Session keys are derived using the TLS handshake
- Renegotiation can occur based on time or traffic limits
- No central authority managing the connection
In TLS P2P mode, both peers are essentially equal - there’s no inherent client/server relationship at the OpenVPN protocol level, though the TLS handshake still has a client and server role.
P2P mode with static keys
Static key mode is the simplest OpenVPN configuration:- Single pre-shared secret key file
- No TLS handshake overhead
- No perfect forward secrecy
- Includes timestamp for replay protection
P2P mode with DCO
Data Channel Offload is available in P2P mode with some requirements:DCO requires DATA_V2 format, which is available for P2P mode only in OpenVPN 2.6 and later.
README.dco.md:66:
DATA_v2=1 and an AEAD cipher (AES-XXX-GCM or CHACHA20POLY1305).
Client-server mode
Client-server mode allows a single OpenVPN server to manage multiple client connections simultaneously. This is the most common deployment model for VPN services.Characteristics
- Scalable: Support for hundreds or thousands of concurrent clients
- Centralized: Server controls routing, addressing, and policies
- Dynamic: Clients can connect and disconnect without server restart
- Flexible: Push configuration options to clients
Server responsibilities
The server performs several critical functions:IP address management
IP address management
Virtual IP assignment
- Assigns unique virtual IP addresses to each client
- Maintains an address pool
- Can use static assignments based on common name
- Supports both IPv4 and IPv6
Configuration push
Configuration push
Pushing options to clients
- Routes to add on the client
- DNS server addresses
- DHCP options
- Custom client options
Client routing
Client routing
Inter-client routing
- Routes traffic between clients (client-to-client)
- Routes traffic from clients to internal networks (iroutes)
- Consults kernel routing tables for forwarding decisions (with DCO)
README.dco.md:85:Multi-instance management
The server maintains separate state for each connected client:- Separate TLS sessions per client
- Per-client encryption keys
- Individual statistics and accounting
- Client-specific access controls
Topology options
Server mode supports different network topologies:- Subnet (recommended)
- Net30 (legacy)
- P2P
Subnet topology
- Uses a real subnet with network and broadcast addresses
- Most compatible with modern systems
- Required for DCO mode
- Efficient IP address usage
Topology subnet is the only supported
--topology for servers using DCO.Protocol differences
The two modes use different packet formats and protocols:Control channel
Both modes use the same control channel protocol for:- TLS handshake
- Key exchange
- Authentication
- Keep-alive messages
src/openvpn/ssl.h.
Data channel packets
- P_DATA_V1
- P_DATA_V2
Data packet format version 1Basic data packet format:
- 1-byte opcode with key ID
- HMAC (optional)
- Cipher IV
- Packet ID
- Encrypted payload
src/openvpn/ssl.h:336:Mode selection guidelines
- Choose P2P when
- Choose server mode when
Use point-to-point mode when:
- Connecting exactly two endpoints
- Building site-to-site VPNs
- You need maximum simplicity
- Static configuration is acceptable
- No need for dynamic routing
- Want minimal overhead
Configuration examples
Basic P2P configuration
- Peer 1
- Peer 2
Basic client-server configuration
- Server
- Client
Related documentation
- Architecture - OpenVPN architecture overview
- Authentication - Authentication methods and mechanisms
- Encryption - Encryption and cipher information