Proven over 15 years in hosting. Your VPS with BeAdmin is ready to go out of the box.
Germany
Netherlands
Sweden
Switzerland
Spain
USA
OpenVPN. How the service works
The OpenVPN module in the BeAdmin panel brings up a VPN on the classic OpenVPN protocol — a mature, time‑tested standard with certificate‑based authentication and its own PKI. It runs over UDP and TCP, including TCP on port 443, which makes it usable in networks that filter UDP aggressively — corporate proxies, for example.
The problem OpenVPN solves
By the early 2000s the common VPN protocols (IPsec, PPTP, L2TP) relied on their own protocol numbers and modes that home routers and corporate firewalls regularly blocked. Setup often required kernel privileges available only to the administrator; the tunnel coped poorly with NAT.
OpenVPN was designed on top of standard TLS over an ordinary UDP or TCP port — the same primitives that HTTPS runs on. The result is a VPN that passes through NAT routers, can run on TCP 443 when needed, and relies on the familiar X.509 infrastructure (CA, client certificates, revocation). For more than twenty years these properties have remained its main difference from newer protocols.
How OpenVPN works
OpenVPN rests on three engineering decisions.
TLS over an ordinary UDP or TCP port. The session is split into a control channel and a data channel multiplexed on a single socket. The control channel is a real TLS handshake (just like HTTPS), authenticating the parties and negotiating keys. The data channel is a separate stream of AEAD‑encrypted packets from a virtual interface. At the port level the VPN is indistinguishable from a normal TLS connection.
Certificate‑based authentication. The server has its own certificate authority; every client has a personal certificate signed by that authority. Client revocation goes into the CRL, and the server checks the CRL on every connection. This removes the "one compromised key — every user at risk" problem.
HMAC firewall in front of TLS. Before the TLS handshake itself, every packet is verified against a separate static key: without a valid signature the server simply ignores the packet, returning neither an error nor a reset. A third‑party scanner on that port receives no response at all until it presents the key.
What OpenVPN cannot do
It is worth naming what OpenVPN does not do — common expectations that this protocol does not cover.
- It does not mask traffic from aggressive censorship. The control‑channel TLS handshake has a recognisable structure; the HMAC firewall only hides the metadata of the first packet, not the fact of an OpenVPN session in a long‑running flow. DPI systems with active probing identify OpenVPN statistically. For such networks you want Xray with HTTPS masking or Amnezia with handshake masking on top of WireGuard.
- It is not lightweight. The TLS handshake takes several round trips between client and server, and the code base is orders of magnitude larger than WireGuard's. On mobile clients the difference in battery use and connection time is noticeable.
- It is not roaming‑friendly. A change of client IP mid‑session breaks the connection and forces a fresh TLS handshake. The user sees a brief reconnect. WireGuard handles the same event silently.
- TUN only and IPv4 only in our implementation. The module runs on the L3
tuninterface and serves IPv4 traffic. L2 mode (tap) and IPv6 are not supported inBeAdmin. The cipherAES-256-GCMis hard‑wired and cannot be changed from the UI. - It does not make VPN legal. If using a VPN is restricted or prohibited in your jurisdiction, OpenVPN does not change that.
OpenVPN in BeAdmin
The OpenVPN module in BeAdmin installs in one click. The panel prepares the certificate authority, the server certificate and the protocol parameters on its own, then issues every user a personal certificate signed by that authority. There is no need to edit configuration files or work in the command line.
For each user the panel produces a ready .ovpn connection file with the keys and certificates embedded. The file is downloaded from the panel or emailed to the user. The client imports the .ovpn into the OpenVPN Connect app — available on Windows, macOS, Linux, Android and iOS — or into any compatible OpenVPN client.
What the server needs: a regular VPS or a physical machine. On container‑based servers (LXC, OpenVZ without full virtualisation) the module will not start — full access to the network stack is required. Modern Ubuntu and Debian are supported.
When to choose OpenVPN
Choose OpenVPN when:
- The network lets through only TCP — corporate proxies, hotel Wi‑Fi, education networks. OpenVPN is one of the few VPNs that natively works over TCP (including port
443); most modern protocols do not. - You need compatibility with the widest possible client ecosystem. The OpenVPN Connect app and compatible clients exist on every modern platform and many older systems where other VPN clients are not available yet.
- A deployment where X.509 PKI is already in place and the VPN needs to fit into an existing certificate model. OpenVPN uses the same certificate type as web servers; no parallel key system is required.
OpenVPN is not a good fit when:
- The network actively blocks or probes OpenVPN traffic (state‑level DPI with probing). Use Xray with HTTPS masking or Amnezia with handshake masking on top of WireGuard.
- Battery economy and a fast handshake on mobile clients matter. WireGuard is lighter and faster — the difference shows in connection setup and battery use on long sessions.
- You need a "one tap" experience for the end user. Outline has a simpler key import (one link, one QR); WireGuard has a built‑in client in many operating systems. OpenVPN requires importing the
.ovpnfile.
If in doubt — install OpenVPN in BeAdmin and try it for free.
If you don't have a server yet, you can get one from our partners — they offer virtual and dedicated servers with the BeAdmin panel pre‑installed.
European reliability made simple. Launch BeAdmin with your VPS in just one click.
- Germany
- Netherlands
- Sweden
Estonia
Romania- Switzerland
- Spain
'%3e%3cpath%20fill='%2300008b'%20d='M0%200h384v256H0z'/%3e%3cpath%20stroke='%23fff'%20stroke-width='42'%20d='m1.914-.001%20382.086%20256m-382.086%200L384-.001'/%3e%3cpath%20stroke='red'%20stroke-width='14'%20d='M5.437%200%20192%20122M378.563%200%20192%20122M5.437%20256%20192%20134m186.563%20122L192%20134'/%3e%3cpath%20fill='%23fff'%20d='M157.787-.001h68.359v256h-68.359z'/%3e%3cpath%20fill='%23fff'%20d='M-.067%2093.999H384v68H-.067z'/%3e%3cpath%20fill='red'%20d='M384%20107.789H211.862V-.001h-39.724l.001%20107.79H0v40.419h172.139v107.79h39.723v-107.79H384z'/%3e%3c/g%3e%3c/svg%3e)
United Kingdom- USA
What's next
- OpenVPN quick start — installing the module and the first connection.
- OpenVPN. Managing the module — managing the service and updates.
- OpenVPN. Managing users — issuing and revoking connections, temporarily disabling a user without re‑importing.