diff --git a/kernel/ovpn-dco/Makefile b/kernel/ovpn-dco/Makefile
index 64113d3627e9b..28a7715c4f8ed 100644
--- a/kernel/ovpn-dco/Makefile
+++ b/kernel/ovpn-dco/Makefile
@@ -8,15 +8,16 @@
 include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
-PKG_NAME:=ovpn-dco
-PKG_VERSION:=0.2.20250801
+PKG_NAME:=ovpn-backports
+PKG_VERSION:=6.17.0.2025112700
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL= \
 	https://build.openvpn.net/downloads/releases \
-	https://codeload.github.com/OpenVPN/ovpn-dco/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=542677e69266e99babb560408b61705ef38a7c469eb820a81f609171faa61b20
+	https://swupdate.openvpn.net/community/releases
+PKG_HASH:=4f9e92ad9c62e2e768e4f6db16ae47a81d161f72fce7e1ea89ab4c9a9239c479
+PKG_BUILD_PARALLEL:=1
 
 PKG_MAINTAINER:=Jianhui Zhao <zhaojh329@gmail.com>
 PKG_LICENSE:=GPL-2.0-only
@@ -24,17 +25,22 @@ PKG_LICENSE:=GPL-2.0-only
 
 include $(INCLUDE_DIR)/package.mk
 
-define KernelPackage/ovpn-dco-v2
+define KernelPackage/ovpn
   SUBMENU:=Network Support
   TITLE:=OpenVPN data channel offload
-  DEPENDS:= \
+  DEPENDS:= @LINUX_6_12 \
 	+kmod-udptunnel4 +IPV6:kmod-udptunnel6 \
 	+kmod-crypto-chacha20poly1305 +kmod-crypto-lib-chacha20 +kmod-crypto-lib-poly1305
-  FILES:=$(PKG_BUILD_DIR)/drivers/net/ovpn-dco/ovpn-dco-v2.ko
-  AUTOLOAD:=$(call AutoLoad,30,ovpn-dco-v2)
+  # Note: TCP requires STREAM_PARSER but it can't be selected by out-of-tree
+  # modules, so pull in AF_KCM for now. This needs to be patched on kernel
+  # side.
+  #KCONFIG:=CONFIG_STREAM_PARSER=y
+  KCONFIG:=CONFIG_AF_KCM
+  FILES:=$(PKG_BUILD_DIR)/drivers/net/ovpn/ovpn.ko
+  AUTOLOAD:=$(call AutoLoad,30,ovpn)
 endef
 
-define KernelPackage/ovpn-dco-v2/description
+define KernelPackage/ovpn/description
   This module enhances the performance of the OpenVPN userspace software
   by offloading the data channel processing to kernelspace.
 endef
@@ -46,20 +52,19 @@ NOSTDINC_FLAGS += \
 	-include $(PKG_BUILD_DIR)/linux-compat.h
 
 EXTRA_KCONFIG:= \
-	CONFIG_OVPN_DCO_V2=m
+	CONFIG_OVPN=m
 
-PKG_EXTMOD_SUBDIRS = drivers/net/ovpn-dco
+PKG_EXTMOD_SUBDIRS = drivers/net/ovpn
 
 MAKE_OPTS:= \
-	$(KERNEL_MAKE_FLAGS) \
-	M="$(PKG_BUILD_DIR)/drivers/net/ovpn-dco" \
+	M="$(PKG_BUILD_DIR)/$(PKG_EXTMOD_SUBDIRS)" \
 	NOSTDINC_FLAGS="$(NOSTDINC_FLAGS)" \
 	$(EXTRA_KCONFIG)
 
 define Build/Compile
-	$(MAKE) -C "$(LINUX_DIR)" \
+	+$(KERNEL_MAKE) $(PKG_JOBS) \
 		$(MAKE_OPTS) \
 		modules
 endef
 
-$(eval $(call KernelPackage,ovpn-dco-v2))
+$(eval $(call KernelPackage,ovpn))
diff --git a/net/openvpn/Makefile b/net/openvpn/Makefile
index e859bd89c5a54..3fb0f5ed735f8 100644
--- a/net/openvpn/Makefile
+++ b/net/openvpn/Makefile
@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.6.14
-PKG_RELEASE:=5
+PKG_VERSION:=2.7.0
+PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
 	https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_HASH:=9eb6a6618352f9e7b771a9d38ae1631b5edfeed6d40233e243e602ddf2195e7a
+PKG_HASH:=2f0e10eb272be61e8fb25fe1cfa20875ff30ac857ef1418000c02290bd6dfa45
 
 PKG_MAINTAINER:=
 
diff --git a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
index 59d805ad3e31a..1e777330f06b7 100644
--- a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
+++ b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
@@ -1,11 +1,15 @@
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
-@@ -1616,7 +1616,7 @@ const char *
+@@ -1573,11 +1573,7 @@ show_available_curves(void)
+ const char *
  get_ssl_library_version(void)
  {
-     static char mbedtls_version[30];
+-    static char mbedtls_version[30];
 -    unsigned int pv = mbedtls_version_get_number();
-+    unsigned int pv = MBEDTLS_VERSION_NUMBER;
-     snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d",
-              (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
-     return mbedtls_version;
+-    snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d", (pv >> 24) & 0xff,
+-             (pv >> 16) & 0xff, (pv >> 8) & 0xff);
+-    return mbedtls_version;
++    return "mbed TLS " MBEDTLS_VERSION_STRING;
+ }
+ 
+ void
diff --git a/net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch b/net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch
deleted file mode 100644
index 264c28b4b80f2..0000000000000
--- a/net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- a/src/openvpn/crypto_openssl.c
-+++ b/src/openvpn/crypto_openssl.c
-@@ -49,7 +49,7 @@
- #include <openssl/rand.h>
- #include <openssl/ssl.h>
- 
--#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
-+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER)
- #include <openssl/kdf.h>
- #endif
- #if OPENSSL_VERSION_NUMBER >= 0x30000000L
-@@ -1398,7 +1398,7 @@ memcmp_constant_time(const void *a, cons
-     return CRYPTO_memcmp(a, b, size);
- }
- 
--#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
-+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER)
- bool
- ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
-              int secret_len, uint8_t *output, int output_len)
diff --git a/net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch b/net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch
deleted file mode 100644
index 50834b3bb77c0..0000000000000
--- a/net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -1347,7 +1347,7 @@ err:
-     return 0;
- }
- 
--#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC)
-+#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL)
- 
- /* called when EC_KEY is destroyed */
- static void
-@@ -1508,7 +1508,7 @@ tls_ctx_use_management_external_key(stru
-             goto cleanup;
-         }
-     }
--#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC)
-+#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL)
- #if OPENSSL_VERSION_NUMBER < 0x30000000L
-     else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
- #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
diff --git a/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch b/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch
index 690521ee649d7..72f529a02b53c 100644
--- a/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch
+++ b/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch
@@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_verify_openssl.c
 +++ b/src/openvpn/ssl_verify_openssl.c
-@@ -267,6 +267,9 @@ backend_x509_get_username(char *common_n
+@@ -257,6 +257,9 @@ backend_x509_get_username(char *common_n
              return FAILURE;
          }
      }