Platform Notes


  • If you use IPv6 on a tun/tap interface and use pf(4) firewall, pf(4) will silently drop all fragmented IPv6 packets. To amend, add a rule pass in on tun<x> fragment to /etc/pf.conf
  • to use tap devices, you need to load the tap driver with kldload if_tap
  • if you want to run an OpenVPN Server that listens on IPv4 and IPv6, run the server with --proto udp6 or --proto tcp6-server and run sysctl -w net.inet6.ip6.v6only=0 beforehand (this will hopefully be fixed in OpenVPN 2.4)


  • Using "named" tap interfaces (--dev tap3) does not work unless you create the interfaces beforehand with ifconfig tap3 create. This is due to the way tap interfaces are created, see tap(4) man page.
  • if the system is set to autoconfigure IPv6 addresses (ip6mode=autohost in /etc/rc.conf), and there are IPv6 router advertisements coming in on the normal LAN interface, OpenVPN TAP mode + IPv6 will not work. The reason behind this is that the NetBSD kernel enforces the "an IPv6 autoconfiguring host must only have one single IPv6 interface" rule (technical: the "connected/cloning" route (UC) for the IPv6 /64 configured on the TAP interface is removed by the kernel upon reception of a RA on the LAN interface, and subsequently neighbor discovery on the TAP interface fails). Using "tun" mode works, because this kernel behaviour only seems to apply to interfaces that do neighbor discovery (ND), which tun ifs don't do. Workaround: set ip6mode=host and statically configure your LAN IPv6 address + routers, or use --dev tun. (This applies to NetBSD at least up to 5.1)
  • NetBSD 3.x can not do IPv6 on tun interfaces - the necessary "multiprotocol" mode was implemented later. Upgrade to NetBSD 5 or later :-)


  • Using TAP interfaces with --dev tap or --dev tap3 does not work - this is due to the way tap devices are implemented on OpenBSD, as a configuration variant of tun(4). To use TAP devices, call --dev tun --dev-type tap or --dev tun3 --dev-type tap
  • running a single server on IPv4 and IPv6 is not possible yet, you must run two server processes (as OpenBSD does not allow IPv4 packets on IPv6 sockets)


  • There currently is no OpenVPN developer that has access to a DragonFlyBSD system, so changes to the code are not tested.
  • DragonFlyBSD has an older version of tun/tap compared to FreeBSD's current version, but it's OK for OpenVPN. The PF firewall also works similarly as FreeBSD's PF.
  • It is reported that OpenVPN (v2.4.3) works on DragonFlyBSD (v4.8.0). If not, open a ticket, please.
  • DragonFlyBSD do not allow IPv4 packets on IPv6 sockets, similar to the above OpenBSD. See also ticket #937.

Mac OS X

  • Mac OS X does not have built-in tun or tap drivers. I found the easiest way to get working tun/tap kernel extensions by installing the Tunnelblick OpenVPN GUI bundle, which contains both.


Last modified 4 months ago Last modified on 09/23/17 02:19:20