Fexyn
Fexyn

Glossary

What is OpenVPN

A mature, widely-supported VPN protocol that runs on TCP/443, useful when faster protocols are blocked.

OpenVPN is a VPN protocol from 2001. It's the compatibility fallback that runs almost everywhere: routers, NAS boxes, ancient Linux distributions, hotel networks that block UDP. When WireGuard and VLESS Reality both fail, OpenVPN over TCP/443 usually still connects.

How OpenVPN works

OpenVPN runs two channels:

  • Control channel — handles authentication and key exchange, wrapped in TLS using OpenSSL or mbedTLS. The same TLS your browser uses for HTTPS.
  • Data channel — carries your actual VPN traffic, encrypted with whatever symmetric cipher was negotiated on the control channel.

A modern deployment uses TLS 1.3, ECDSA certificates, and AES-256-GCM. Older deployments still run TLS 1.2 and RSA, which is fine cryptographically but slower.

OpenVPN can run on UDP (faster) or TCP (more compatible). UDP is the default. TCP is the fallback when UDP is blocked, which happens on hotel networks, hospital networks, and corporate networks that aggressively filter outbound UDP.

Where OpenVPN wins

Reach. OpenVPN over TCP/443 looks like an HTTPS connection at first glance. It runs on the same port as web traffic. Hotel firewalls and corporate proxies that block VPNs by port can't block OpenVPN-over-443 without also blocking websites.

Maturity. OpenVPN has been audited multiple times, deployed in production for two decades, and works on essentially every operating system. The protocol's age is a strength here — every weird edge case has been encountered and patched.

Where OpenVPN loses

Speed. OpenVPN is meaningfully slower than WireGuard. The control channel is heavier, the data path involves more userspace work, and TCP fallback adds head-of-line blocking when packets are lost. On a fast home connection, you'll see noticeably lower throughput than WireGuard.

Recognisability. Despite running on port 443, OpenVPN's traffic patterns are detectable by DPI. A determined censor can fingerprint OpenVPN handshakes and block them. This is why OpenVPN alone isn't enough in places like Iran or Russia.

The certificate revocation problem — long-lived OpenVPN certs are a security risk that's hard to mitigate without significant infrastructure work.

Modern OpenVPN deployments

The big improvement in recent years is short-lived certificates. Instead of issuing a 12-month client cert that has to be revoked if compromised, you issue a 24-hour cert from a Vault PKI. If it leaks, the leak window is bounded.

Fexyn does this. Fexyn Secure uses OpenVPN with 24-hour certificates issued by Vault PKI. The configuration also forces DNS through the tunnel and uses AES-256-GCM with TLS 1.3.

Read more about OpenVPN on Fexyn or compare it to the alternatives in the protocols comparison.

Try Fexyn free for 7 days — Secure is automatically used as a fallback when faster protocols are blocked.

Related terms

Try Fexyn free for 7 days

Windows app available now in Beta. WireGuard, VLESS Reality, and OpenVPN with no browsing-history, DNS-query, or traffic-content logs.

See pricing
What is OpenVPN — What It Is and Why It Matters | Fexyn VPN