The DSVPN server listens for a single encrypted TCP connection and routes all client traffic to the internet. One command starts the server; DSVPN handles all firewall and routing setup automatically — no iptables rules to write, noDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/jedisct1/dsvpn/llms.txt
Use this file to discover all available pages before exploring further.
ip route commands to memorise. When you stop the server, every rule it added is removed cleanly.
Minimal Server Command
Because every argument after the key file defaults toauto, and trailing auto arguments can be omitted, the absolute minimum server command is:
192.168.192.254 (local) and 192.168.192.1 (remote).
If you want to use a non-default port, pass it as the third positional argument:
- The
autoin position three tells DSVPN to bind on all network interfaces (equivalent to0.0.0.0). 1959is the TCP port to listen on.
What DSVPN Configures Automatically
DSVPN applies all necessary networking rules when it starts and removes them when it exits. You do not need to run any of these commands yourself.- Linux
- macOS / BSD
On Linux, DSVPN runs the following commands automatically:Enable IP forwarding and configure the TUN interfaceAnti-spoof rule — drops packets claiming to arrive at the tunnel IP from a non-TUN interface:NAT masquerade — rewrites outbound traffic from the client’s tunnel IP to the server’s external IP:Forward rules — allow forwarding between the TUN interface and the external interface:
DSVPN automatically removes every firewall and routing rule it added when it
exits — whether via
Ctrl-C, SIGTERM, or a clean shutdown. You do not need
to manually clean up after stopping the server.OpenBSD Note
On OpenBSD, DSVPN cannot configure NAT automatically becausepf rules must be managed by the administrator. After starting the server, DSVPN prints the exact rule you need to add to /etc/pf.conf:
/etc/pf.conf and reload the ruleset:
192.168.192.1) behind the server’s egress interface. Without it, client traffic reaches the internet but replies are never routed back.
Single Active Session
The DSVPN server supports one active client session at a time. When a new TCP connection arrives:- If the connecting IP matches the existing client’s IP, the old connection is replaced by the new one (handles reconnects gracefully).
- If the connecting IP is different from the current session’s IP, the new connection is rejected with a busy error while the original session remains active.
Running as a Service
For production deployments, run DSVPN under a process supervisor so it restarts automatically on reboot or crash.systemd service files
Evaggelos Balaskas maintains ready-to-use systemd unit files for DSVPN. Copy the unit file to
/etc/systemd/system/ and enable it with systemctl enable --now dsvpn.Ansible role
Robert Debock maintains an Ansible role that installs, configures, and starts DSVPN as a service. Suitable for fleet deployments.