OpenVPN

OpenVPN Protocol
Written by: Per-Erik Eriksson

OpenVPN is an open-source VPN protocol providing secure point-to-point or site-to-site connections free of charge. It’s actually one of the very few open-source VPN connection protocols on the market with a perfect blend of functionality and security that also manages to bypass firewalls and other blocks.

In layman’s terms, OpenVPN is a trusted technology that ensures that all data sent over the internet remains encrypted and safe.

The solution also allows administrators to manage multiple networks and block access to unwanted websites. Peers can authenticate each other via pre-shared security keys, usernames/passwords, or certificates. On top of that, OpenVPN has been embedded into several systems, like SoftEther VPN and DD-WRT.

How Does OpenVPN Work?

OpenVPN protocol handles all client-server communication by establishing a secure tunnel between a VPN client and a VPN server. The protocol relies heavily on the Open SSL library for encryption and authentication to generate a private network.

On top of that, OpenVPN has the option to use either TCP (Transmission Connection Protocol) or UDP (User Datagram Protocol) for transmission. The former is more stable, as it offers error correction features, while the latter is faster but not as stable.

Due to its structure, OpenVPN helps users get past NAT and HTTP, security measures that control access to web content.

OpenVPN Architecture

OpenVPN ranks among the most secure protocols available today thanks to its unique structure, adaptability, and high-grade safety measures. Below is a breakdown of its architecture.

  • Encryption — As mentioned, OpenVPN uses the Open SSL library to gain access to all ciphers and encrypt control and data channels. It also employs the HMAC packet authentication technique as an extra security layer.
  • Authentication — Peers can authenticate each other through a pre-shared key, verified certificates, or a combination of a username and password. The pre-shared keys are the easiest to use, while certificates offer extensive features. The username/password authentication relies on third-party modules rather than credentials.
  • Networking — As explained, OpenVPN can run on TCP and UDP transmissions, multiplying SSL tunnels on a single TCP/UDP port. As such, the protocol is an excellent alternative to IPsec, where the ISP blocks specific VPN protocols. The newer OpenVPN versions (2.3.x series and higher) support IPv6 while bypassing HTTP, NAT, and firewalls.  
  • Security — OpenVPN ranks among the safest protocols on the web. Besides the military-grade 256-bit encryption, OpenVPN uses ciphers like CAST-128, Camellia, 3DES, and AES to boost security. It also runs on custom protocols based on TLS and SSL rather than using PPTP, IPsec, IKE, and L2TP.
  • Extensibility — Users can extend OpenVPN through third-party scripts and plug-ins to generate advanced logging, authentication, RADIUS integration, and firewall updates. The OpenVPN source code contains several plug-ins, such as PAM (pluggable authentication module) authentication.

Supported Platforms

Unlike other protocols, OpenVPN isn’t limited to a particular hardware or operating system. It can run on any platform as long as the software/firmware implements the OpenVPN protocol. Among them are:

  • macOS
  • Windows
  • Linux
  • Solaris
  • NetBSD
  • OpenBSD
  • FreeBSD
  • QNX

OpenVPN is also compatible with several mobile operating systems, namely Android, iOS, Windows, and Maemo.  However, OpenVPN isn’t available to VPN clients that employ the IPsec over PPTP or L2TP protocols.

As for firmware configurations, OpenVPN supports several router packages, enabling users to launch it through server or client modes from their network routers. The most common firmware packages compatible with OpenVPN are DD-WRT, Gargoyle, Tomato, OPNsense, OpenWrt, and pfSense.

Moreover, OpenVPN has been implemented into several software solutions. One is SoftEther VPN, an open-source multi-protocol virtual private network that lets people use existing OpenVPN clients to connect to a VPN server. The other is Vyos, an open-source routing OS that also supports OpenVPN.

Licensing Data

OpenVPN protocol comes in two versions:

  • OpenVPN Community Edition — This is a free, open-source variant with a wide network of contributors that use a GPL license to control, test, and improve the code.
  • OpenVPN Access Server — It’s a paid version intended for businesses. The OpenVPN-AS has additional features like an SMB server, LDAP integration, and Web UI management. It also ensures installation and configuration tools that facilitate remote-access deployment. Unfortunately, this version isn’t available for Windows, as it relies on iptables for load balancing.

Related articles