diff --git a/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua b/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua
index 0800e1c08..1266800d8 100755
--- a/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua
+++ b/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua
@@ -1321,7 +1321,18 @@ end
 function backupgr()
 	local get_backup = luci.http.formvalue("restore") or ""
 	if get_backup ~= "" then
-		luci.sys.call("/etc/init.d/openmptcprouter-vps backup_get >/dev/null 2>/dev/null")
+		local dobackup = 0
+		ucic:foreach("openmptcprouter","server", function(s)
+			servername = s[".name"]
+			local get_selected_backup = luci.http.formvalue(servername .. "") or ""
+			if get_selected_backup ~= "" then
+				dobackup = 1
+				luci.sys.call("/etc/init.d/openmptcprouter-vps backup_get " .. servername .. " " .. get_selected_backup .. ">/dev/null 2>/dev/null")
+			end
+		end)
+		if dobackup == 0 then
+			luci.sys.call("/etc/init.d/openmptcprouter-vps backup_get >/dev/null 2>/dev/null")
+		end
 	end
 	local send_backup = luci.http.formvalue("save") or ""
 	if send_backup ~= "" then
diff --git a/luci-app-openmptcprouter/luasrc/view/openmptcprouter/backup.htm b/luci-app-openmptcprouter/luasrc/view/openmptcprouter/backup.htm
index f7ebf5bb0..83016ce63 100755
--- a/luci-app-openmptcprouter/luasrc/view/openmptcprouter/backup.htm
+++ b/luci-app-openmptcprouter/luasrc/view/openmptcprouter/backup.htm
@@ -16,10 +16,36 @@ menuentry = ucic:get("openmptcprouter","settings","menu") or "openmptcprouter"
 		%>
 		<h3><%=servername%></h3>
 		<%
-		    if luci.model.uci.cursor():get("openmptcprouter",servername,"lastbackup") ~= nil then
+		    if luci.model.uci.cursor():get("openmptcprouter",servername,"allbackup") ~= nil then
 		%>
 			<div class="cbi-section-node">
-				<%:Last available backup on server:%> <%=os.date('%d-%b-%Y', luci.model.uci.cursor():get("openmptcprouter",servername,"lastbackup"))%>
+			    <div class="cbi-value">
+				<label class="cbi-value-title"><%:Backup availables on server%></label>
+				<div class="cbi-value-field">
+				    <select class="cbi-input-select" name="<%=servername%>-backup" size="1">
+					<option value=""></option>
+		<%
+			lastmodif=""
+			allbackup=luci.model.uci.cursor():get("openmptcprouter",servername,"allbackup")
+			for _, backup in pairs(allbackup) do
+			    filemodif=split(backup, '|')
+			    if filemodif[2] ~= lastmodif then
+				lastmodif=filemodif[2]
+				%>
+					<option value="<%=filemodif[1]%>"><%=os.date('%c',filemodif[2])%></option>
+				<%
+			    end
+			end
+		%>
+				    </select>
+				</div>
+			    </div>
+			</div>
+		<%
+		    elseif luci.model.uci.cursor():get("openmptcprouter",servername,"lastbackup") ~= nil then
+		%>
+			<div class="cbi-section-node">
+				<%:Last available backup on server:%> <%=os.date('%c', luci.model.uci.cursor():get("openmptcprouter",servername,"lastbackup"))%>
 			</div>
 		<% else %>
 			<div class="cbi-section-node">
@@ -29,6 +55,7 @@ menuentry = ucic:get("openmptcprouter","settings","menu") or "openmptcprouter"
 	    <%
 		end)
 	    %>
+		<br/>
 		<input type="submit" class="cbi-button cbi-button-action important" name="restore" value="<%:Restore backup%>"/>
 		<input type="submit" class="cbi-button cbi-button-action important" name="save" value="<%:Send backup%>"/>
 
diff --git a/mptcp/files/etc/init.d/mptcp b/mptcp/files/etc/init.d/mptcp
index 29790f1dd..a8d3a95c1 100755
--- a/mptcp/files/etc/init.d/mptcp
+++ b/mptcp/files/etc/init.d/mptcp
@@ -91,9 +91,9 @@ interface_max_metric() {
 		fi
 	elif [ "$1" = "omrvpn" ]; then
 		uci -q batch <<-EOF >/dev/null
-			set network.${config}.metric=9000
+			set network.${config}.metric=1500
 			commit network
-			set openmptcprouter.${config}.metric=9000
+			set openmptcprouter.${config}.metric=1500
 			commit openmptcprouter
 		EOF
 	elif [ "$1" = "omr6in4" ]; then
diff --git a/mptcp/files/etc/uci-defaults/mptcp-defaults b/mptcp/files/etc/uci-defaults/mptcp-defaults
index a67049fb2..f0ae166d0 100755
--- a/mptcp/files/etc/uci-defaults/mptcp-defaults
+++ b/mptcp/files/etc/uci-defaults/mptcp-defaults
@@ -4,7 +4,7 @@ if [ "$(uci -q get network.globals.mptcp_path_manager)" = "" ]; then
 	set network.globals.multipath='enable'
 	set network.globals.mptcp_path_manager='fullmesh'
 	set network.globals.mptcp_scheduler='blest'
-	set network.globals.congestion='cubic'
+	set network.globals.congestion='bbr2'
 	set network.globals.mptcp_checksum=0
 	set network.globals.mptcp_debug=0
 	set network.globals.mptcp_syn_retries=4
diff --git a/mptcp/files/usr/share/omr/post-tracking.d/020-status b/mptcp/files/usr/share/omr/post-tracking.d/020-status
index 9db4ce63b..e4bb91ce1 100755
--- a/mptcp/files/usr/share/omr/post-tracking.d/020-status
+++ b/mptcp/files/usr/share/omr/post-tracking.d/020-status
@@ -65,12 +65,12 @@ if [ -n "$OMR_TRACKER_INTERFACE" ] && ([ "$(uci -q get openmptcprouter.$OMR_TRAC
 			}
 		fi
 		[ -n "$ipaddr" ] && [ "$(uci -q get openmptcprouter.$OMR_TRACKER_INTERFACE.publicip)" != "$ipaddr" ] && {
-			_log "New public ip detected for $OMR_TRACKER_INTERFACE ($OMR_TRACKER_DEVICE): $ipaddr"
+			_log "New public ip detected for $OMR_TRACKER_INTERFACE ($OMR_TRACKER_DEVICE): $ipaddr (previous: $(uci -q get openmptcprouter.$OMR_TRACKER_INTERFACE.publicip))"
+			uci -q set openmptcprouter.$OMR_TRACKER_INTERFACE.publicip="$ipaddr"
 			/etc/init.d/mptcp enabled && {
 				_log "Reload MPTCP for $OMR_TRACKER_DEVICE"
 				/etc/init.d/mptcp reload "$OMR_TRACKER_DEVICE" 2>&1 >/dev/null
 			}
-			uci -q set openmptcprouter.$OMR_TRACKER_INTERFACE.publicip="$ipaddr"
 		}
 		[ -n "$OMR_TRACKER_LATENCY" ] && uci -q set openmptcprouter.$OMR_TRACKER_INTERFACE.latency="$OMR_TRACKER_LATENCY"
 		[ -n "$asn" ] && [ "$(uci -q get openmptcprouter.$OMR_TRACKER_INTERFACE.asn)" != "$asn" ] && {
diff --git a/openmptcprouter/files/etc/init.d/openmptcprouter-vps b/openmptcprouter/files/etc/init.d/openmptcprouter-vps
index 6f40c124b..e14113ce6 100755
--- a/openmptcprouter/files/etc/init.d/openmptcprouter-vps
+++ b/openmptcprouter/files/etc/init.d/openmptcprouter-vps
@@ -1770,6 +1770,7 @@ _backup_get() {
 
 _backup_get_and_apply() {
 	servername=$1
+	backupfile=$2
 	token=""
 	vps_config=""
 	_login
@@ -1780,7 +1781,12 @@ _backup_get_and_apply() {
 		EOF
 		return
 	}
-	vps_backup=$(_get_json "backupget")
+	if [ -n "$backupfile" ]; then
+		echo "get $backupfile"
+		vps_backup=$(_get_json "backupget?filename=${backupfile}")
+	else
+		vps_backup=$(_get_json "backupget")
+	fi
 	[ -z "$vps_backup" ] && return
 	backup_data="$(echo "$vps_backup" | jsonfilter -q -e '@.data')"
 	backup_sha256sum="$(echo "$vps_backup" | jsonfilter -q -e '@.sha256sum')"
@@ -1791,11 +1797,16 @@ _backup_get_and_apply() {
 }
 
 backup_get() {
-	lastbackup=""
-	serverbackup=""
-	config_load openmptcprouter
-	config_foreach _backup_get server
-	[ -n "$serverbackup" ] && _backup_get_and_apply $serverbackup
+	backuptoapply=$2
+	if [ -n "$backuptoapply" ]; then
+		_backup_get_and_apply $1 $2
+	else
+		lastbackup=""
+		serverbackup=""
+		config_load openmptcprouter
+		config_foreach _backup_get server
+		[ -n "$serverbackup" ] && _backup_get_and_apply $serverbackup
+	fi
 }
 
 _backup_list() {
@@ -1819,6 +1830,13 @@ _backup_list() {
 	backup_lastmodif="$(echo "$vps_backup" | jsonfilter -q -e '@.modif')"
 	[ -n "$backup_lastmodif" ] && {
 		uci -q set openmptcprouter.$servername.lastbackup=$backup_lastmodif
+		backup_all="$(echo "$vps_backup" | jsonfilter -q -e '@.sorted[*]')"
+		uci -q del openmptcprouter.$servername.allbackup
+		echo "$vps_backup" | jsonfilter -q -e '@.sorted[*]' | while read backup; do
+			name=$(echo "$backup" | jsonfilter -q -e '@[0]' | tr -d '\n')
+			modiftime=$(echo "$backup" | jsonfilter -q -e '@[1]' | tr -d '\n')
+			uci -q add_list openmptcprouter.$servername.allbackup="${name}|${modiftime}"
+		done
 	}
 }
 
diff --git a/openmptcprouter/files/etc/uci-defaults/2020-omr-vpn b/openmptcprouter/files/etc/uci-defaults/2020-omr-vpn
index e97097043..5e1e38c7a 100755
--- a/openmptcprouter/files/etc/uci-defaults/2020-omr-vpn
+++ b/openmptcprouter/files/etc/uci-defaults/2020-omr-vpn
@@ -149,16 +149,16 @@ if [ "$(uci -q get network.tun0.mtu)" = "1200" ] || [ -z "$(uci -q get network.t
 	uci -q batch <<-EOF >/dev/null
 		set network.tun0=device
 		set network.tun0.name='tun0'
-		set network.tun0.mtu=9000
+		set network.tun0.mtu=1500
 		commit network
 	EOF
 fi
 
 if [ "$(uci -q get openmptcprouter.settings.vpn)" = "" ]; then
 	uci -q batch <<-EOF >/dev/null
-		set openmptcprouter.settings.vpn='glorytun_udp'
-		set glorytun-udp.vpn.enable='1'
-		commit glorytun-udp
+		set openmptcprouter.settings.vpn='glorytun_tcp'
+		set glorytun.vpn.enable='1'
+		commit glorytun
 		commit openmptcprouter
 	EOF
 fi
diff --git a/openvpn/Config-mbedtls.in b/openvpn/Config-mbedtls.in
index 3cf233b8f..edcfbdf9d 100644
--- a/openvpn/Config-mbedtls.in
+++ b/openvpn/Config-mbedtls.in
@@ -24,26 +24,22 @@ config OPENVPN_mbedtls_ENABLE_FRAGMENT
 	bool "Enable internal fragmentation support (--fragment)"
 	default y
 
-config OPENVPN_mbedtls_ENABLE_MULTIHOME
-	bool "Enable multi-homed UDP server support (--multihome)"
-	default y
-
 config OPENVPN_mbedtls_ENABLE_PORT_SHARE
 	bool "Enable TCP server port-share support (--port-share)"
 	default y
 
-config OPENVPN_mbedtls_ENABLE_DEF_AUTH
-	bool "Enable deferred authentication"
-	default y
-
-config OPENVPN_mbedtls_ENABLE_PF
-	bool "Enable internal packet filter"
-	default y
-
 config OPENVPN_mbedtls_ENABLE_IPROUTE2
 	bool "Enable support for iproute2"
 	default n
 
+config OPENVPN_mbedtls_ENABLE_DCO
+	depends on !OPENVPN_mbedtls_ENABLE_IPROUTE2
+	bool "Enable support for data channel offload"
+	default n if OPENVPN_mbedtls_ENABLE_IPROUTE2
+	help
+	  enable data channel offload support
+	  using the ovpn-dco-v2 kernel module
+
 config OPENVPN_mbedtls_ENABLE_SMALL
 	bool "Enable size optimization"
 	default y
diff --git a/openvpn/Config-openssl.in b/openvpn/Config-openssl.in
index 7a7be74db..c09b45e10 100644
--- a/openvpn/Config-openssl.in
+++ b/openvpn/Config-openssl.in
@@ -28,26 +28,22 @@ config OPENVPN_openssl_ENABLE_FRAGMENT
 	bool "Enable internal fragmentation support (--fragment)"
 	default y
 
-config OPENVPN_openssl_ENABLE_MULTIHOME
-	bool "Enable multi-homed UDP server support (--multihome)"
-	default y
-
 config OPENVPN_openssl_ENABLE_PORT_SHARE
 	bool "Enable TCP server port-share support (--port-share)"
 	default y
 
-config OPENVPN_openssl_ENABLE_DEF_AUTH
-	bool "Enable deferred authentication"
-	default y
-
-config OPENVPN_openssl_ENABLE_PF
-	bool "Enable internal packet filter"
-	default y
-
 config OPENVPN_openssl_ENABLE_IPROUTE2
 	bool "Enable support for iproute2"
 	default n
 
+config OPENVPN_openssl_ENABLE_DCO
+	depends on !OPENVPN_openssl_ENABLE_IPROUTE2
+	bool "Enable support for data channel offload"
+	default n if OPENVPN_openssl_ENABLE_IPROUTE2
+	help
+	  enable data channel offload support
+	  using the ovpn-dco-v2 kernel module
+
 config OPENVPN_openssl_ENABLE_SMALL
 	bool "Enable size optimization"
 	default y
diff --git a/openvpn/Config-wolfssl.in b/openvpn/Config-wolfssl.in
index ef8b9dcb3..bd076460a 100644
--- a/openvpn/Config-wolfssl.in
+++ b/openvpn/Config-wolfssl.in
@@ -33,26 +33,22 @@ config OPENVPN_wolfssl_ENABLE_FRAGMENT
 	bool "Enable internal fragmentation support (--fragment)"
 	default y
 
-config OPENVPN_wolfssl_ENABLE_MULTIHOME
-	bool "Enable multi-homed UDP server support (--multihome)"
-	default y
-
 config OPENVPN_wolfssl_ENABLE_PORT_SHARE
 	bool "Enable TCP server port-share support (--port-share)"
 	default y
 
-config OPENVPN_wolfssl_ENABLE_DEF_AUTH
-	bool "Enable deferred authentication"
-	default y
-
-config OPENVPN_wolfssl_ENABLE_PF
-	bool "Enable internal packet filter"
-	default y
-
 config OPENVPN_wolfssl_ENABLE_IPROUTE2
 	bool "Enable support for iproute2"
 	default n
 
+config OPENVPN_wolfssl_ENABLE_DCO
+	depends on !OPENVPN_wolfssl_ENABLE_IPROUTE2
+	bool "Enable support for data channel offload"
+	default n if OPENVPN_openssl_ENABLE_IPROUTE2
+	help
+	  enable data channel offload support
+	  using the ovpn-dco-v2 kernel module
+
 config OPENVPN_wolfssl_ENABLE_SMALL
 	bool "Enable size optimization"
 	default y
diff --git a/openvpn/Makefile b/openvpn/Makefile
index ac76841b8..752d38535 100644
--- a/openvpn/Makefile
+++ b/openvpn/Makefile
@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.5.8
-PKG_RELEASE:=3
+PKG_VERSION:=2.6.5
+PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
 	https://swupdate.openvpn.net/community/releases/
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=2bbd0026469902037ee6499b68283d5ab36c74e36cae3112082cfdf6c77a0c57
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_HASH:=e34efdb9a3789a760cfc91d57349dfb1e31da169c98c06cb490c6a8a015638e2
 
 PKG_MAINTAINER:=Magnus Kroken <mkroken@gmail.com>
 
@@ -36,14 +36,14 @@ define Package/openvpn/Default
   URL:=http://openvpn.net
   SUBMENU:=VPN
   MENU:=1
-  DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3)
+  DEPENDS:=+kmod-tun +libcap-ng +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_LZ4:liblz4 +OPENVPN_$(1)_ENABLE_IPROUTE2:ip +OPENVPN_$(1)_ENABLE_DCO:libnl-genl $(3)
   VARIANT:=$(1)
   PROVIDES:=openvpn openvpn-crypto
 endef
 
 Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
 Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
-Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL \(experimental\),+PACKAGE_openvpn-wolfssl:libwolfssl)
+Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL,+PACKAGE_openvpn-wolfssl:libwolfssl)
 
 define Package/openvpn/config/Default
 	source "$(SOURCE)/Config-$(1).in"
@@ -80,11 +80,9 @@ define Build/Configure
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
-		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_IPROUTE2),--enable,--disable)-iproute2 \
-		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \
-		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \
+		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DCO),--enable,--disable)-dco \
 		$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl --with-openssl-engine=no) \
 		$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
 		$(if $(CONFIG_OPENVPN_WOLFSSL),--with-crypto-library=wolfssl) \
diff --git a/openvpn/files/openvpn.options b/openvpn/files/openvpn.options
index 5a7c756f7..7e3aedb0d 100644
--- a/openvpn/files/openvpn.options
+++ b/openvpn/files/openvpn.options
@@ -54,7 +54,6 @@ iroute_ipv6
 keepalive
 key
 key_direction
-keysize
 learn_address
 link_mtu
 lladdr
diff --git a/openvpn/patches/001-reproducible-remove_DATE.patch b/openvpn/patches/001-reproducible-remove_DATE.patch
deleted file mode 100644
index e4e6d3941..000000000
--- a/openvpn/patches/001-reproducible-remove_DATE.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- a/src/openvpn/options.c
-+++ b/src/openvpn/options.c
-@@ -105,7 +105,6 @@ const char title_string[] =
- #endif
- #endif
-     " [AEAD]"
--    " built on " __DATE__
- ;
- 
- #ifndef ENABLE_SMALL
diff --git a/openvpn/patches/002-add-wolfssl-support.patch b/openvpn/patches/002-add-wolfssl-support.patch
deleted file mode 100644
index 7311a36eb..000000000
--- a/openvpn/patches/002-add-wolfssl-support.patch
+++ /dev/null
@@ -1,190 +0,0 @@
-From: Gert Doering <gert@greenie.muc.de>
-
-Support for wolfSSL in OpenVPN
-
-This patch adds support for wolfSSL in OpenVPN. Support is added by using
-wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged
-and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is
-linked against the wolfSSL library. The wolfSSL installation directory is
-detected using pkg-config.
-
-As requested by OpenVPN maintainers, this patch does not include
-wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN
-in the configure script wolfSSL will include wolfssl/options.h on its own
-(change added in wolfSSL/wolfssl#2825). The patch
-adds an option '--disable-wolfssl-options-h' in case the user would like
-to supply their own settings file for wolfSSL.
-
-wolfSSL:
-Support added in: wolfSSL/wolfssl#2503
-
-git clone https://github.com/wolfSSL/wolfssl.git
-cd wolfssl
-./autogen.sh
-./configure --enable-openvpn
-make
-sudo make install
-
-OpenVPN:
-
-autoreconf -i -v -f
-./configure --with-crypto-library=wolfssl
-make
-make check
-sudo make install
-
-Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
-Acked-by: Arne Schwabe <arne@rfc2549.org>
-Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21686.html
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
----
- configure.ac | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
- src/openvpn/syshead.h | 3 ++-
- 2 files changed, 110 insertions(+), 3 deletions(-)
---- a/configure.ac
-+++ b/configure.ac
-@@ -271,16 +271,23 @@ AC_ARG_WITH(
- 
- AC_ARG_WITH(
- 	[crypto-library],
--	[AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
-+	[AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
- 	[
- 		case "${withval}" in
--			openssl|mbedtls) ;;
-+			openssl|mbedtls|wolfssl) ;;
- 			*) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
- 		esac
- 	],
- 	[with_crypto_library="openssl"]
- )
- 
-+AC_ARG_ENABLE(
-+	[wolfssl-options-h],
-+	[AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])],
-+	,
-+	[enable_wolfssl_options_h="yes"]
-+)
-+
- AC_ARG_WITH(
- 	[openssl-engine],
- 	[AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])],
-@@ -1054,6 +1061,105 @@ elif test "${with_crypto_library}" = "mb
- 	AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
- 	CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
- 	CRYPTO_LIBS="${MBEDTLS_LIBS}"
-+
-+elif test "${with_crypto_library}" = "wolfssl"; then
-+	AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should
-+								  contain the regular wolfSSL header files but also the
-+								  wolfSSL OpenSSL header files. Ex: -I/usr/local/include
-+								  -I/usr/local/include/wolfssl])
-+	AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
-+
-+	saved_CFLAGS="${CFLAGS}"
-+	saved_LIBS="${LIBS}"
-+
-+	if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
-+		# if the user did not explicitly specify flags, try to autodetect
-+		PKG_CHECK_MODULES(
-+			[WOLFSSL],
-+			[wolfssl],
-+			[],
-+			[AC_MSG_ERROR([Could not find wolfSSL.])]
-+		)
-+		PKG_CHECK_VAR(
-+			[WOLFSSL_INCLUDEDIR],
-+			[wolfssl],
-+			[includedir],
-+			[],
-+			[AC_MSG_ERROR([Could not find wolfSSL includedir variable.])]
-+		)
-+		WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl"
-+	fi
-+	saved_CFLAGS="${CFLAGS}"
-+	saved_LIBS="${LIBS}"
-+	CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}"
-+	LIBS="${LIBS} ${WOLFSSL_LIBS}"
-+
-+	AC_CHECK_LIB(
-+		[wolfssl],
-+		[wolfSSL_Init],
-+		[],
-+		[AC_MSG_ERROR([Could not link wolfSSL library.])]
-+	)
-+	AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])])
-+
-+	# wolfSSL signal EKM support
-+	have_export_keying_material="yes"
-+
-+	AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_X509_GET0_NOTBEFORE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_X509_GET0_NOTAFTER], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_SET_FLAGS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_GET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_SET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_DSA_GET0_PQG], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_DSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_METH_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_METH_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_METH_SET_PUB_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_METH_SET_PUB_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_METH_SET_INIT], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_METH_SET_SIGN], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_METH_SET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_RSA_METH_GET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+	AC_DEFINE([HAVE_EC_GROUP_ORDER_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+
-+	if test "${enable_wolfssl_options_h}" = "yes"; then
-+		AC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library])
-+	else
-+		AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library])
-+	fi
-+
-+	have_export_keying_material="yes"
-+
-+	CFLAGS="${saved_CFLAGS}"
-+	LIBS="${saved_LIBS}"
-+
-+	AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library])
-+	AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer])
-+	CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}"
-+	CRYPTO_LIBS="${WOLFSSL_LIBS}"
- else
- 	AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}])
- fi
---- a/src/openvpn/syshead.h
-+++ b/src/openvpn/syshead.h
-@@ -582,7 +582,8 @@ socket_defined(const socket_descriptor_t
- /*
-  * Do we have CryptoAPI capability?
-  */
--#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL)
-+#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) && \
-+	!defined(ENABLE_CRYPTO_WOLFSSL)
- #define ENABLE_CRYPTOAPI
- #endif
- 
diff --git a/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
index 42665db87..c54277006 100644
--- a/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
+++ b/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
@@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
-@@ -1539,7 +1539,7 @@ const char *
+@@ -1535,7 +1535,7 @@ const char *
  get_ssl_library_version(void)
  {
      static char mbedtls_version[30];
diff --git a/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch b/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch
new file mode 100644
index 000000000..81c09c1e8
--- /dev/null
+++ b/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch
@@ -0,0 +1,20 @@
+--- a/src/openvpn/crypto_openssl.c
++++ b/src/openvpn/crypto_openssl.c
+@@ -51,7 +51,7 @@
+ #include <openssl/rand.h>
+ #include <openssl/ssl.h>
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER)
+ #include <openssl/kdf.h>
+ #endif
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+@@ -1419,7 +1419,7 @@ engine_load_key(const char *file, SSL_CT
+ #endif /* if HAVE_OPENSSL_ENGINE */
+ }
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER)
+ bool
+ ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
+              int secret_len, uint8_t *output, int output_len)
diff --git a/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch b/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch
new file mode 100644
index 000000000..f0e7361f2
--- /dev/null
+++ b/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch
@@ -0,0 +1,20 @@
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -1351,7 +1351,7 @@ err:
+     return 0;
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC)
++#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL)
+ 
+ /* called when EC_KEY is destroyed */
+ static void
+@@ -1512,7 +1512,7 @@ tls_ctx_use_management_external_key(stru
+             goto cleanup;
+         }
+     }
+-#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC)
++#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL)
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+     else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
+ #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
diff --git a/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch b/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch
new file mode 100644
index 000000000..30e1822a1
--- /dev/null
+++ b/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch
@@ -0,0 +1,12 @@
+--- a/src/openvpn/ssl_verify_openssl.c
++++ b/src/openvpn/ssl_verify_openssl.c
+@@ -269,6 +269,9 @@ backend_x509_get_username(char *common_n
+             return FAILURE;
+         }
+     }
++#if defined(ENABLE_CRYPTO_WOLFSSL)
++ #define LN_serialNumber "serialNumber"
++#endif
+     else if (strcmp(LN_serialNumber, x509_username_field) == 0)
+     {
+         ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);
diff --git a/openvpn/patches/210-build_always_use_internal_lz4.patch b/openvpn/patches/210-build_always_use_internal_lz4.patch
deleted file mode 100644
index b5f675ade..000000000
--- a/openvpn/patches/210-build_always_use_internal_lz4.patch
+++ /dev/null
@@ -1,74 +0,0 @@
---- a/configure.ac
-+++ b/configure.ac
-@@ -1211,68 +1211,15 @@ dnl
- AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
- AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
- if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
--    if test -z "${LZ4_CFLAGS}" -a -z "${LZ4_LIBS}"; then
--	# if the user did not explicitly specify flags, try to autodetect
--	PKG_CHECK_MODULES([LZ4],
--			  [liblz4 >= 1.7.1 liblz4 < 100],
--			  [have_lz4="yes"],
--			  [LZ4_LIBS="-llz4"] # If this fails, we will do another test next.
--					     # We also add set LZ4_LIBS otherwise the
--					     # linker will not know about the lz4 library
--	)
--    fi
- 
-     saved_CFLAGS="${CFLAGS}"
-     saved_LIBS="${LIBS}"
-     CFLAGS="${CFLAGS} ${LZ4_CFLAGS}"
-     LIBS="${LIBS} ${LZ4_LIBS}"
- 
--    # If pkgconfig check failed or LZ4_CFLAGS/LZ4_LIBS env vars
--    # are used, check the version directly in the LZ4 include file
--    if test "${have_lz4}" != "yes"; then
--	AC_CHECK_HEADERS([lz4.h],
--			 [have_lz4h="yes"],
--			 [])
--
--	if test "${have_lz4h}" = "yes" ; then
--	    AC_MSG_CHECKING([additionally if system LZ4 version >= 1.7.1])
--	    AC_COMPILE_IFELSE(
--		[AC_LANG_PROGRAM([[
--#include <lz4.h>
--				 ]],
--				 [[
--/* Version encoding: MMNNPP (Major miNor Patch) - see lz4.h for details */
--#if LZ4_VERSION_NUMBER < 10701L
--#error LZ4 is too old
--#endif
--				 ]]
--				)],
--		[
--		    AC_MSG_RESULT([ok])
--		    have_lz4="yes"
--		],
--		[AC_MSG_RESULT([system LZ4 library is too old])]
--	    )
--	fi
--    fi
--
--    # Double check we have a few needed functions
--    if test "${have_lz4}" = "yes" ; then
--	AC_CHECK_LIB([lz4],
--		     [LZ4_compress_default],
--		     [],
--		     [have_lz4="no"])
--	AC_CHECK_LIB([lz4],
--		     [LZ4_decompress_safe],
--		     [],
--		     [have_lz4="no"])
--    fi
--
--    if test "${have_lz4}" != "yes" ; then
--	AC_MSG_RESULT([		usable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
--	AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
--	LZ4_LIBS=""
--    fi
-+    AC_MSG_RESULT([		usable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
-+    AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
-+    LZ4_LIBS=""
-     OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}"
-     OPTIONAL_LZ4_LIBS="${LZ4_LIBS}"
-     AC_DEFINE(ENABLE_LZ4, [1], [Enable LZ4 compression library])
diff --git a/openvpn/patches/220-disable_des.patch b/openvpn/patches/220-disable_des.patch
deleted file mode 100644
index a49c463c4..000000000
--- a/openvpn/patches/220-disable_des.patch
+++ /dev/null
@@ -1,74 +0,0 @@
---- a/src/openvpn/syshead.h
-+++ b/src/openvpn/syshead.h
-@@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t
- /*
-  * Should we include NTLM proxy functionality
-  */
--#define NTLM 1
-+//#define NTLM 1
- 
- /*
-  * Should we include proxy digest auth functionality
---- a/src/openvpn/crypto_mbedtls.c
-+++ b/src/openvpn/crypto_mbedtls.c
-@@ -396,6 +396,7 @@ int
- key_des_num_cblocks(const mbedtls_cipher_info_t *kt)
- {
-     int ret = 0;
-+#ifdef MBEDTLS_DES_C
-     if (kt->type == MBEDTLS_CIPHER_DES_CBC)
-     {
-         ret = 1;
-@@ -408,6 +409,7 @@ key_des_num_cblocks(const mbedtls_cipher
-     {
-         ret = 3;
-     }
-+#endif
- 
-     dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
-     return ret;
-@@ -416,6 +418,7 @@ key_des_num_cblocks(const mbedtls_cipher
- bool
- key_des_check(uint8_t *key, int key_len, int ndc)
- {
-+#ifdef MBEDTLS_DES_C
-     int i;
-     struct buffer b;
- 
-@@ -444,11 +447,15 @@ key_des_check(uint8_t *key, int key_len,
- 
- err:
-     return false;
-+#else
-+    return true;
-+#endif
- }
- 
- void
- key_des_fixup(uint8_t *key, int key_len, int ndc)
- {
-+#ifdef MBEDTLS_DES_C
-     int i;
-     struct buffer b;
- 
-@@ -463,6 +470,7 @@ key_des_fixup(uint8_t *key, int key_len,
-         }
-         mbedtls_des_key_set_parity(key);
-     }
-+#endif
- }
- 
- /*
-@@ -783,10 +791,12 @@ cipher_des_encrypt_ecb(const unsigned ch
-                        unsigned char *src,
-                        unsigned char *dst)
- {
-+#ifdef MBEDTLS_DES_C
-     mbedtls_des_context ctx;
- 
-     ASSERT(mbed_ok(mbedtls_des_setkey_enc(&ctx, key)));
-     ASSERT(mbed_ok(mbedtls_des_crypt_ecb(&ctx, src, dst)));
-+#endif
- }
- 
- 
diff --git a/openvpn/patches/900-add_mptcp_support.patch b/openvpn/patches/900-add-MPTCP-support.patch
similarity index 64%
rename from openvpn/patches/900-add_mptcp_support.patch
rename to openvpn/patches/900-add-MPTCP-support.patch
index 7d3c3b8ad..efcef4f42 100644
--- a/openvpn/patches/900-add_mptcp_support.patch
+++ b/openvpn/patches/900-add-MPTCP-support.patch
@@ -1,8 +1,8 @@
 diff --git a/configure.ac b/configure.ac
-index 2f5f6bc7..d15c0910 100644
+index 16c40bb5..04609ebf 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -293,6 +293,12 @@ AC_ARG_WITH(
+@@ -314,6 +314,12 @@ AC_ARG_WITH(
  	[with_openssl_engine="auto"]
  )
  
@@ -15,9 +15,9 @@ index 2f5f6bc7..d15c0910 100644
  AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@])
  if test -n "${PLUGINDIR}"; then
  	plugindir="${PLUGINDIR}"
-@@ -846,6 +852,22 @@ PKG_CHECK_MODULES(
- 	[]
- )
+@@ -879,6 +885,22 @@ case "$host" in
+ esac
+ 
  
 +dnl
 +dnl Checking Multipath TCP support on Linux
@@ -39,50 +39,47 @@ index 2f5f6bc7..d15c0910 100644
  	AC_ARG_VAR([OPENSSL_CFLAGS], [C compiler flags for OpenSSL])
  	AC_ARG_VAR([OPENSSL_LIBS], [linker flags for OpenSSL])
 diff --git a/src/openvpn/init.c b/src/openvpn/init.c
-index be8ff80f..b4fe11e2 100644
+index d358ad00..6e5b2d3b 100644
 --- a/src/openvpn/init.c
 +++ b/src/openvpn/init.c
-@@ -3449,6 +3449,9 @@ do_init_socket_1(struct context *c, const int mode)
-                             c->c1.socks_proxy,
+@@ -3359,7 +3359,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags)
  #ifdef ENABLE_DEBUG
-                             c->options.gremlin,
-+#endif
-+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
-+                            c->options.enable_mptcp,
+     to.gremlin = c->options.gremlin;
  #endif
-                             c->options.ce.bind_local,
-                             c->options.ce.remote_float,
+-
+     to.plugins = c->plugins;
+ 
+ #ifdef ENABLE_MANAGEMENT
 diff --git a/src/openvpn/options.c b/src/openvpn/options.c
-index 20d1273f..3222fda6 100644
+index 2c51efa6..dac82a68 100644
 --- a/src/openvpn/options.c
 +++ b/src/openvpn/options.c
-@@ -130,6 +130,9 @@ static const char usage_message[] =
+@@ -137,6 +137,9 @@ static const char usage_message[] =
      "                      udp6, tcp6-server, tcp6-client\n"
      "--proto-force p : only consider protocol p in list of connection profiles.\n"
      "                  p = udp or tcp\n"
-+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
++#if defined(ENABLE_MPTCP)
 +    "--mptcp     : Enable Multipath TCP on the TCP connections.\n"
 +#endif
      "--connect-retry n [m] : For client, number of seconds to wait between\n"
      "                  connection retries (default=%d). On repeated retries\n"
      "                  the wait time is exponentially increased to a maximum of m\n"
-@@ -903,6 +906,11 @@ init_options(struct options *o, const bool init_gc)
+@@ -908,7 +911,9 @@ init_options(struct options *o, const bool init_gc)
      }
  #endif /* _WIN32 */
      o->allow_recursive_routing = false;
-+
-+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
+-
++#if defined(ENABLE_MPTCP)
 +    o->enable_mptcp = false;
 +#endif
-+    
- }
- 
- void
-@@ -8834,6 +8842,18 @@ add_option(struct options *options,
+ #ifndef ENABLE_DCO
+     o->tuntap_options.disable_dco = true;
+ #endif /* ENABLE_DCO */
+@@ -9475,6 +9480,18 @@ add_option(struct options *options,
              goto err;
          }
      }
-+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)   
++#if defined(ENABLE_MPTCP)   
 +    else if (streq(p[0], "mptcp"))
 +    {
 +        VERIFY_PERMISSION(OPT_P_GENERAL);
@@ -98,10 +95,10 @@ index 20d1273f..3222fda6 100644
      {
          int i;
 diff --git a/src/openvpn/options.h b/src/openvpn/options.h
-index 37220904..465eff52 100644
+index f5890b90..765ce90e 100644
 --- a/src/openvpn/options.h
 +++ b/src/openvpn/options.h
-@@ -430,6 +430,9 @@ struct options
+@@ -461,6 +461,9 @@ struct options
  #define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)
      unsigned int server_flags;
  
@@ -112,7 +109,7 @@ index 37220904..465eff52 100644
  
      bool server_bridge_defined;
 diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c
-index e79cb0d3..754cdfc5 100644
+index 3609630a..c5f364ff 100644
 --- a/src/openvpn/ps.c
 +++ b/src/openvpn/ps.c
 @@ -39,6 +39,14 @@
@@ -120,7 +117,7 @@ index e79cb0d3..754cdfc5 100644
  #include "memdbg.h"
  
 +
-+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
++#if defined(ENABLE_MPTCP)
 +#ifndef IPPROTO_MPTCP
 +#define IPPROTO_MPTCP 262
 +#endif
@@ -134,7 +131,7 @@ index e79cb0d3..754cdfc5 100644
      struct proxy_connection *cp;
  
      /* connect to port share server */
-+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)   
++#if defined(ENABLE_MPTCP)   
 +    if ((sd_server = socket(PF_INET, SOCK_STREAM, IPPROTO_MPTCP)) < 0)
 +#else
      if ((sd_server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
@@ -143,27 +140,27 @@ index e79cb0d3..754cdfc5 100644
          msg(M_WARN|M_ERRNO, "PORT SHARE PROXY: cannot create socket");
          return false;
 diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
-index 28fabe76..e7242020 100644
+index fc643c1c..fba2cdc5 100644
 --- a/src/openvpn/socket.c
 +++ b/src/openvpn/socket.c
-@@ -55,6 +55,12 @@ const int proto_overhead[] = { /* indexed by PROTO_x */
-     IPv6_TCP_HEADER_SIZE,
- };
+@@ -61,6 +61,12 @@ sf2gaf(const unsigned int getaddr_flags,
+     }
+ }
  
-+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
++#if defined(ENABLE_MPTCP)
 +#ifndef IPPROTO_MPTCP
 +#define IPPROTO_MPTCP 262
 +#endif
 +#endif
 +
  /*
-  * Convert sockflags/getaddr_flags into getaddr_flags
+  * Functions related to the translation of DNS names to IP addresses.
   */
-@@ -1093,6 +1099,39 @@ create_socket_udp(struct addrinfo *addrinfo, const unsigned int flags)
+@@ -1085,6 +1091,39 @@ create_socket_udp(struct addrinfo *addrinfo, const unsigned int flags)
      return sd;
  }
  
-+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
++#if defined(ENABLE_MPTCP)
 +socket_descriptor_t
 +create_socket_mptcp(struct addrinfo *addrinfo)
 +{
@@ -199,11 +196,11 @@ index 28fabe76..e7242020 100644
  static void
  bind_local(struct link_socket *sock, const sa_family_t ai_family)
  {
-@@ -1136,6 +1175,21 @@ create_socket(struct link_socket *sock, struct addrinfo *addr)
+@@ -1128,6 +1167,21 @@ create_socket(struct link_socket *sock, struct addrinfo *addr)
      }
      else if (addr->ai_protocol == IPPROTO_TCP || addr->ai_socktype == SOCK_STREAM)
      {
-+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
++#if defined(ENABLE_MPTCP)
 +      if(sock->info.multipath)
 +      {
 +	sock->sd = create_socket_mptcp(addr);
@@ -221,63 +218,51 @@ index 28fabe76..e7242020 100644
          sock->sd = create_socket_tcp(addr);
      }
      else
-@@ -1891,6 +1945,9 @@ link_socket_init_phase1(struct link_socket *sock,
-                         struct socks_proxy_info *socks_proxy,
+@@ -1858,7 +1912,9 @@ link_socket_init_phase1(struct context *c, int mode)
  #ifdef ENABLE_DEBUG
-                         int gremlin,
-+#endif
-+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
-+                        bool enable_mptcp,
+     sock->gremlin = o->gremlin;
  #endif
-                         bool bind_local,
-                         bool remote_float,
-@@ -1920,7 +1977,11 @@ link_socket_init_phase1(struct link_socket *sock,
-     sock->inetd = inetd;
-     sock->resolve_retry_seconds = resolve_retry_seconds;
-     sock->mtu_discover_type = mtu_discover_type;
 -
-+    
-+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
-+    sock->info.multipath = enable_mptcp;
++#if defined(ENABLE_MPTCP)
++    sock->info.multipath = o->enable_mptcp;
 +#endif
-+    
- #ifdef ENABLE_DEBUG
-     sock->gremlin = gremlin;
+     sock->socket_buffer_sizes.rcvbuf = o->rcvbuf;
+     sock->socket_buffer_sizes.sndbuf = o->sndbuf;
+ 
+@@ -2213,7 +2269,7 @@ link_socket_init_phase2(struct context *c)
+         else
  #endif
-@@ -2305,7 +2366,7 @@ link_socket_init_phase2(struct link_socket *sock,
-         /* If a valid remote has been found, create the socket with its addrinfo */
-         if (sock->info.lsa->current_remote)
          {
 -            create_socket(sock, sock->info.lsa->current_remote);
 +	  create_socket(sock, sock->info.lsa->current_remote);
          }
  
-         /* If socket has not already been created create it now */
+     }
 diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h
-index 2ad6155f..0dcb0655 100644
+index bfc1253b..7009daf0 100644
 --- a/src/openvpn/socket.h
 +++ b/src/openvpn/socket.h
-@@ -120,6 +120,9 @@ struct link_socket_info
+@@ -121,6 +121,9 @@ struct link_socket_info
      sa_family_t af;                     /* Address family like AF_INET, AF_INET6 or AF_UNSPEC*/
      bool bind_ipv6_only;
      int mtu_changed;            /* Set to true when mtu value is changed */
-+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
++#if defined(ENABLE_MPTCP)
 +    bool multipath;
 +#endif
  };
  
  /*
-@@ -315,6 +318,9 @@ link_socket_init_phase1(struct link_socket *sock,
-                         struct socks_proxy_info *socks_proxy,
+@@ -244,6 +247,9 @@ struct link_socket
  #ifdef ENABLE_DEBUG
-                         int gremlin,
-+#endif
-+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
-+                        bool enable_mptcp,
+     int gremlin; /* --gremlin bits */
  #endif
-                         bool bind_local,
-                         bool remote_float,
-@@ -476,6 +482,10 @@ bool ipv6_addr_safe(const char *ipv6_text_addr);
++#if defined(ENABLE_MPTCP)
++    bool enable_mptcp;
++#endif
+ };
+ 
+ /*
+@@ -469,6 +475,10 @@ bool ipv6_addr_safe(const char *ipv6_text_addr);
  
  socket_descriptor_t create_socket_tcp(struct addrinfo *);