campagnol - Decentralized VPN over UDP tunneling


campagnol [−dDhmvV] [-p pidfile] [configuration_file]


Campagnol is a distributed IP-based VPN software able to open new connections through NATs or firewalls without any configuration. It uses UDP for the transport layer and utilizes tunneling and encryption (with DTLS).

This software is the client part of the VPN, i.e. the software that will send/receive the packets on the VPN after authentication and encryption. This program is non-interactive and can run as a daemon.

Campagnol starts off with registering with the rendezvous (RDV) server which keeps track of every clients of the VPN. It will then regularly exchange some small messages with the RDV server in order to keep the connection alive and maintain the translation tables of the NATs. Later on the RDV server is used to initiate the UDP hole punching between two clients.

Campagnol uses the TUN kernel driver to create a virtual network interface for the VPN and then associates a route to this interface. When a packet for a unknown peer arrives on the TUN device, Campagnol asks the RDV server for a new connection. This initiate the UDP hole punching between the two peers. Once the connection is established, the two peers open a DTLS session, authenticate each other and eventually the link is ready. This is a peer to peer connection: no data will flow through the RDV server or any other node. After some time of inactivity (or if one of the peer exits) the session will be closed.


−d, --debug

debug mode

−D, --daemon

start the client in background (daemonize) and create a PID file in /usr/local/var/run/ or in another file defined with --pidfile

−h, --help

print help, then exit

−m, --mlock

lock the process’s pages into RAM by calling the mlockall system call if available

−p, --pidfile=pidfile

write the pid into pidfile when running in background

−v, --verbose

verbose mode

−V, --version

show version information and exit


The communications between two peers are opened when needed and are fully authenticated and encrypted thanks to DTLS.

Campagnol uses an X.509 certificate based security. Each client needs to own a valid certificate and its associated key pair. Therefore a typical usage is to have a minimum PKI to manage the VPN. You will for instance generate:

• a private key (your CA) and an associated trusted root certificate distributed to all the clients

• one private key and one signed certificate per client

• possibly a certificate revocation list to manage the old client’s certificates

The cipher list used by OpenSSL can be defined in the configuration file. By default Campagnol uses OpenSSL’s default algorithms. You can use the ciphers command from OpenSSL to see the available algorithms:

$ openssl ciphers -v -tls1 DEFAULT



Campagnol will close all connections and quit.


will cause Campagnol to close all connections, disconnect from the RDV server, reread the key, the certificates and the CRL, and restart. The configuration file is not reread.


will cause Campagnol to reread the key, the certificates and the CRL. The new files will be used for the subsequent connections. It’s especially useful to load a new CRL.


Campagnol needs a configuration file. It will use by default /usr/local/etc/campagnol.conf but you can specify another file as a command line argument.

The syntax of this file and all the available options are described in campagnol.conf(5).

You can use the sample configuration file as a basis for writing your own.



The default configuration file used if none is given on the command line.


campagnol_rdv(8), campagnol.conf(5), openssl-ciphers(1), RFC 4347 "Datagram Transport Layer Security"


Florent Bondoux <>