OpenVPN: Listen on TCP and UDP with TUN

Today I’ll describe how to get OpenVPN to listen both to UDP and TCP port, using both¬†tun device¬†and the same network for clients. Meaning the same client can connect on either TCP or UDP and get the same IP Address assigned.

To achieve this, we’re gonna need:

  • OpenVPN
  • Sudo

I’m running this on a Debian Wheezy installation, but any Linux distribution can do the trick.

Let’s create the first OpenVPN instance, to listen on UDP/1194, creation of certificate is not covered by this HOWTO, as plenty of resources can already be found online.

Note that, the only difference with a standard VPN configuration, is the following line:

learn-address /etc/openvpn/MYVPN/

This configuration line will make the script ‘’ be ran whenever a client’s address is learned or unlearned. This will allow us to modify the kernel’s routing table upon client connection/disconnection and specify which tunnel interface we should use for that particular client.

Let’s now configure the TCP VPN:

Note that we only changed the name of log files, IPP, the tun device name and of course, the protocol.

Now, let’s configure a client’s CCD file like the following:

Allow vpn user to run /sbin/ip through sudo, to be able to make routing table changes within the script; Let’s create a ‘/etc/sudoers.d/openvpn’ file with the following content:

vpn ALL=(ALL:ALL) NOPASSWD: /sbin/ip

And last but not least, let’s put together the script which will make all the magic:

As some comments have mentioned, you also need to run these:

# adduser --system --group vpn
# chmod +x

Now, you can try and make your client connect to the UDP instance, disconnect and connect again to the TCP one. You can tail -f the /tmp/learn.log file in which you can see routing changes if everything is working:

[-] Adding addr -> tun0
[-] Deleting addr ->
[-] Adding addr -> tun1
[-] Deleting addr ->

This was useful to you? Have questions? Thoughts? Don’t hesitate to leave a comment if so.