Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/jedisct1/dsvpn/llms.txt

Use this file to discover all available pages before exploring further.

The DSVPN server listens for a single encrypted TCP connection and routes all client traffic to the internet. One command starts the server; DSVPN handles all firewall and routing setup automatically — no iptables rules to write, no ip route commands to memorise. When you stop the server, every rule it added is removed cleanly.

Minimal Server Command

Because every argument after the key file defaults to auto, and trailing auto arguments can be omitted, the absolute minimum server command is:
sudo ./dsvpn server vpn.key
This listens on all interfaces on port 443 with tunnel IPs 192.168.192.254 (local) and 192.168.192.1 (remote). If you want to use a non-default port, pass it as the third positional argument:
sudo ./dsvpn server vpn.key auto 1959
  • The auto in position three tells DSVPN to bind on all network interfaces (equivalent to 0.0.0.0).
  • 1959 is the TCP port to listen on.
Use port 443 when clients may be on restricted networks that only permit HTTPS traffic. Any port works on open networks; 1959 is used in the official README examples.

What DSVPN Configures Automatically

DSVPN applies all necessary networking rules when it starts and removes them when it exits. You do not need to run any of these commands yourself.
On Linux, DSVPN runs the following commands automatically:Enable IP forwarding and configure the TUN interface
sysctl net.ipv4.ip_forward=1
ip addr add 192.168.192.254 peer 192.168.192.1 dev <tun>
ip -6 addr add 64:ff9b::192.168.192.254 peer 64:ff9b::192.168.192.1/96 dev <tun>
ip link set dev <tun> up
Anti-spoof rule — drops packets claiming to arrive at the tunnel IP from a non-TUN interface:
iptables -t raw -I PREROUTING ! -i <tun> -d 192.168.192.254 -m addrtype ! --src-type LOCAL -j DROP
NAT masquerade — rewrites outbound traffic from the client’s tunnel IP to the server’s external IP:
iptables -t nat -A POSTROUTING -o <ext-if> -s 192.168.192.1 -j MASQUERADE
Forward rules — allow forwarding between the TUN interface and the external interface:
iptables -t filter -A FORWARD -i <ext-if> -o <tun> -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i <tun> -o <ext-if> -j ACCEPT
DSVPN automatically removes every firewall and routing rule it added when it exits — whether via Ctrl-C, SIGTERM, or a clean shutdown. You do not need to manually clean up after stopping the server.

OpenBSD Note

On OpenBSD, DSVPN cannot configure NAT automatically because pf rules must be managed by the administrator. After starting the server, DSVPN prints the exact rule you need to add to /etc/pf.conf:
pass out from 192.168.192.1 nat-to egress
Add this line to /etc/pf.conf and reload the ruleset:
sudo pfctl -f /etc/pf.conf
This rule masquerades outbound traffic from the client’s tunnel IP (192.168.192.1) behind the server’s egress interface. Without it, client traffic reaches the internet but replies are never routed back.

Single Active Session

The DSVPN server supports one active client session at a time. When a new TCP connection arrives:
  • If the connecting IP matches the existing client’s IP, the old connection is replaced by the new one (handles reconnects gracefully).
  • If the connecting IP is different from the current session’s IP, the new connection is rejected with a busy error while the original session remains active.
This is a deliberate design choice for simplicity. If you need to serve multiple clients simultaneously, run multiple DSVPN instances on different ports with different tunnel IP ranges.

Running as a Service

For production deployments, run DSVPN under a process supervisor so it restarts automatically on reboot or crash.

systemd service files

Evaggelos Balaskas maintains ready-to-use systemd unit files for DSVPN. Copy the unit file to /etc/systemd/system/ and enable it with systemctl enable --now dsvpn.

Ansible role

Robert Debock maintains an Ansible role that installs, configures, and starts DSVPN as a service. Suitable for fleet deployments.
These community resources provide ready-made service configurations. DSVPN itself does not ship an official systemd unit file.

Build docs developers (and LLMs) love