How to use OpenVPN with TCP protocol

By default, OpenVPN uses UDP and it is officially recommended to use it. However, TCP also works great with OpenVPN and you can use it if needed. Theoretically, the TCP protocol has more “overhead”, that is, some part of the transmitted data will not carry the payload, but is only necessary for the normal operation of TCP, which monitors the safety and integrity of transmitted packets.

In my case, the need to add TCP support arose due to the fact that with some ISPs OpenVPN on the UDP protocol could not connect due to an error (the error will be discussed later), but it worked fine on the TCP protocol.

To configure OpenVPN to work with TCP, you need to know the following points:

1. The protocol must be specified explicitly

In the settings of the configuration files, instead of the line

;proto tcp

use on the server the line

proto tcp-server

and on the client the line

proto tcp-client

For reference: UDP protocol on both the server and the client is denoted the same way:

proto udp

2. The TCP protocol must be specified in the configuration files of both the server and the client

Protocol settings are not transferred from the server and must be explicitly specified not only on the server itself, but also for each client in the configuration file.

3. Do not use the explicit-exit-notify option

In the server config file, don't use the setting (just remove this line):

explicit-exit-notify 1

Otherwise, you will encounter the error:

Options error: --explicit-exit-notify can only be used with --proto udp

4. The port must be free

This applies equally to how OpenVPN works with UDP and TCP: the selected port must be free, otherwise you will encounter the error “TCP/UDP: Socket bind failed on local address [AF_INET][undef]:…: Address already in use (errno=98)”, for example:

2021-11-02 09:26:50 us=736094 TCP/UDP: Socket bind failed on local address [AF_INET][undef]:53: Address already in use (errno=98)
2021-11-02 09:26:50 us=736216 Exiting due to fatal error

See also: