OpenVPN: Listen on TCP and UDP with TUN

Today I’ll describe how to get OpenVPN to listen both to UDP and TCP port, using both tun device and the same network for clients. Meaning the same client can connect on either TCP or UDP and get the same IP Address assigned.

To achieve this, we’re gonna need:

  • OpenVPN
  • Sudo

I’m running this on a Debian Wheezy installation, but any Linux distribution can do the trick.

Let’s create the first OpenVPN instance, to listen on UDP/1194, creation of certificate is not covered by this HOWTO, as plenty of resources can already be found online.

Note that, the only difference with a standard VPN configuration, is the following line:

learn-address /etc/openvpn/MYVPN/

This configuration line will make the script ‘’ be ran whenever a client’s address is learned or unlearned. This will allow us to modify the kernel’s routing table upon client connection/disconnection and specify which tunnel interface we should use for that particular client.

Let’s now configure the TCP VPN:

Note that we only changed the name of log files, IPP, the tun device name and of course, the protocol.

Now, let’s configure a client’s CCD file like the following:

Allow vpn user to run /sbin/ip through sudo, to be able to make routing table changes within the script; Let’s create a ‘/etc/sudoers.d/openvpn’ file with the following content:

vpn ALL=(ALL:ALL) NOPASSWD: /sbin/ip

And last but not least, let’s put together the script which will make all the magic:

As some comments have mentioned, you also need to run these:

# adduser --system --group vpn
# chmod +x

Now, you can try and make your client connect to the UDP instance, disconnect and connect again to the TCP one. You can tail -f the /tmp/learn.log file in which you can see routing changes if everything is working:

[-] Adding addr -> tun0
[-] Deleting addr ->
[-] Adding addr -> tun1
[-] Deleting addr ->

This was useful to you? Have questions? Thoughts? Don’t hesitate to leave a comment if so.