Protocol
OpenVPN on Fexyn
Fexyn Secure — the protocol we keep around for the networks where the modern options struggle.
Why we still ship OpenVPN
OpenVPN has been around since 2001 and runs almost everywhere. That history is also why it's broadly compatible: TCP transport on port 443 looks ordinary to most middleboxes, and old corporate firewalls that block UDP or strip unfamiliar protocols often let it through.
On Fexyn it's branded Fexyn Secure — the protocol the rotation engine reaches for last, after WireGuard and VLESS Reality, when those don't connect.
How Fexyn configures OpenVPN
- TLS 1.3 control channel with ECDSA P-256 keys.
- AES-256-GCM data channel encryption.
- 24-hour short-lived client certificates issued by Vault PKI — no long-lived secrets sit on the device.
- Per-server intermediate CAs, pinned in the helper service. Each VPN server identifies itself with a unique certificate chain the client recognises.
- tls-auth HMAC keys per server to drop unsigned packets at the edge.
Compression is disabled in both directions to avoid the VORACLE class of cross-protocol attacks. The client and server are configured to refuse compression negotiation entirely.
When OpenVPN is the right choice
- Networks that block UDP and only allow TCP outbound.
- Older or restrictive corporate environments where modern VPN protocols are unfamiliar to the firewall.
- Captive portals and hotel networks that selectively allow TCP/443 traffic.
- Situations where you need the most broadly compatible option, even if it costs some throughput.
Tradeoffs to know about
- Lower throughput than WireGuard on the same link. The TCP fallback path adds head-of-line blocking when packets are lost.
- Higher CPU than WireGuard on the client because of the older cipher framework.
- Slower handshake. The first connection can take a couple of seconds longer than WireGuard does.
- It's a recognisable protocol. OpenVPN doesn't try to disguise itself — networks that specifically block OpenVPN by signature will block Fexyn Secure too. For those networks, Fexyn Stealth (VLESS Reality) is the better option.
How rotation chooses OpenVPN
Fexyn's rotation engine starts with the protocol most likely to give the best experience on your network. WireGuard goes first when it's expected to work; Fexyn Stealth goes first when the network looks restrictive. If both fail to establish a connection, the engine tries OpenVPN. That order is configurable from the app, so if you know your network only allows OpenVPN you can pin it as the default.
Related reading
- WireGuard on Fexyn — the speed-first option
- VLESS Reality / XRay on Fexyn — the censorship-resistant option
- VPN for Windows
- Security overview
- Download Fexyn for Windows
Fexyn Secure ships with every plan and the 7-day free trial. You don't have to pick a protocol up front — the app handles it.