When you’re running the T2 System Development Environment, you’re usually dealing with an advanced, hands-on Linux setup. T2 isn’t a binary distribution in the traditional sense instead it provides a source-based build framework (the t2-builder toolchain) and a kernel customization utility (t2-kernel). Many T2 users install one of the lightweight desktops—Xfce, LXQt or even GNOME—via module recipes, then tailor their kernel with exactly the drivers and features they need. In that context, your VPN choice must satisfy:

• Source-build friendliness (so it integrates with the t2-builder workflow).
• Kernel compatibility (to wire in modules or patches via t2-kernel).
• Minimal dependencies (so desktop-environment modules don’t bloat your images).

Based on those criteria—and the fact that most T2 enthusiasts are comfortable compiling stuff—you’ll find WireGuard, OpenVPN and StrongSwan (IPsec) to be the best fits. Below is a quick comparison of how they slot into the T2 workflow.

From that list, WireGuard and OpenVPN are universally solid on T2. StrongSwan is powerful but requires extra kernel IPsec flags and can be overkill if you just want a quick tunnel. Below you’ll find step-by-step guidance for installing and configuring WireGuard and OpenVPN on a T2 host.

Installing and Configuring WireGuard

WireGuard relies on a kernel module plus user-space tools. First, enable the module via t2-kernel:

# Step 1: Enable WireGuard in the kernel
sudo t2-kernel menuconfig
# In Networking support → Networking options → enable WireGuard VPN
# Then rebuild and install
sudo t2-kernel build
sudo t2-kernel install
  

Next, build and install the WireGuard user-space tools:

# Step 2: Clone and build the compatibility module (if kernel 
Finally, set up a basic point-to-point interface. Replace PRIVATE_KEY, PEER_PUBLIC_KEY and endpoint info with your values:


# Step 4: Generate keys
wg genkey  tee privatekey  wg pubkey > publickey

# Step 5: Create /etc/wireguard/wg0.conf
sudo tee /etc/wireguard/wg0.conf ltlt EOF
[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.0.0.2/24
ListenPort = 51820

[Peer]
PublicKey = PEER_PUBLIC_KEY
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
EOF

# Step 6: Bring up the tunnel
sudo wg-quick up wg0
  
Installing and Configuring OpenVPN
OpenVPN lives entirely in user-space and is generally simpler to compile under T2. Use t2-builder to fetch and build the module:
# Step 1: Update your T2 build cache
sudo t2-update

# Step 2: Build and install OpenVPN
sudo t2-builder openvpn
  
If you prefer manual source compilation:
git clone https://github.com/OpenVPN/openvpn.git
cd openvpn
./configure --prefix=/usr --sysconfdir=/etc
make
sudo make install
  
With the binary in place, configure your client.conf or client.ovpn file in /etc/openvpn/client:
sudo tee /etc/openvpn/client/myvpn.conf ltlt EOF
client
dev tun
proto udp
remote vpn.example.com 1194
ca ca.crt
cert client.crt
key client.key
cipher AES-256-GCM
verb 3
EOF
  
Start the client with:
sudo openvpn --config /etc/openvpn/client/myvpn.conf
  
If you’re running a desktop session under Xfce or GNOME, you can install the openvpn-gnome NetworkManager plugin via t2-builder networkmanager-openvpn and control your connections from the panel applet.
Conclusion
On T2, flexibility and source-centric workflows are king. WireGuard and OpenVPN both integrate cleanly with t2-kernel and t2-builder, letting you maintain a minimal, customised build. WireGuard wins for performance and simplicity in modern kernels, while OpenVPN remains the go-to if you need SSL/TLS compatibility or GUI plugins for your desktop. Whichever you choose, these recipes will have you up and running in no time.