OpenVPN 2.7 adds multi-socket servers, DCO Linux kernel module, and enhanced DNS support

OpenVPN 2.7 delivers several major updates to this open source VPN daemon. Multi-socket support now allows servers to manage multiple addresses, ports, and protocols in a single deployment, enabling more flexible network configurations. The release also upgrades DNS support across platforms. Linux, BSD, and macOS gain improved default client DNS handling, while the Windows client adds split DNS and DNSSEC features.

On Windows, the update enforces the block-local flag through Windows Filtering Platform filters, generates network adapters on demand, and runs the service as an unprivileged user for greater security. The win-dco driver replaces wintun as the default network driver, with tap-windows6 as a fallback, and server mode is now supported for win-dco.

With these architectural changes, Windows functionality and stability are enhanced. In parallel, OpenVPN 2.7 enforces AES-GCM usage limits on the data channel, applies epoch data keys, and introduces client-side support for the PUSH_UPDATE message. This lets servers update options such as routing or DNS without requiring clients to reconnect.

For Linux, support for the new OpenVPN DCO kernel module has been added, with immediate availability via the ovpn-backports project for current kernels. Additionally, TLS 1.3 is now supported with bleeding-edge mbedTLS, boosting security.