You are on page 1of 5

OpenVPN

OpenVPN is an open-source software application that


implements virtual private network (VPN) techniques for
creating secure point-to-point or site-to-site connections
in routed or bridged congurations and remote access facilities. It uses a custom security protocol[9] that utilizes
SSL/TLS for key exchange. It is capable of traversing
network address translators (NATs) and rewalls. It was
written by James Yonan and is published under the GNU
General Public License (GPL).[10]

Preshared secret key is the easiest, with certicate based


being the most robust and feature-rich. In version 2.0
username/password authentications can be enabled, both
with or without certicates. However to make use of
username/password authentications, OpenVPN depends
on third-party modules. See the Extensibility paragraph
for more info.

OpenVPN allows peers to authenticate each other using a


pre-shared secret key, certicates or username/password.
When used in a multiclient-server conguration, it allows
the server to release an authentication certicate for every
client, using signature and Certicate authority. It uses
the OpenSSL encryption library extensively, as well as
the SSLv3/TLSv1 protocol, and contains many security
and control features.

1.3 Networking
OpenVPN can run over User Datagram Protocol (UDP)
or Transmission Control Protocol (TCP) transports, multiplexing created SSL tunnels on a single TCP/UDP
port[15] (RFC 3948 for UDP).[16] From 2.3.x series on,
OpenVPN fully supports IPv6 as protocol of the virtual
network inside a tunnel and the OpenVPN applications
can also establish connections via IPv6.[17] It has the ability to work through most proxy servers (including HTTP)
and is good at working through Network address translation (NAT) and getting out through rewalls. The server
conguration has the ability to push certain network
conguration options to the clients. These include IP
addresses, routing commands, and a few connection options. OpenVPN oers two types of interfaces for networking via the Universal TUN/TAP driver. It can create
either a layer-3 based IP tunnel (TUN), or a layer-2 based
Ethernet TAP that can carry any type of Ethernet trafc. OpenVPN can optionally use the LZO compression
library to compress the data stream. Port 1194 is the ofcial IANA assigned port number for OpenVPN. Newer
versions of the program now default to that port. A feature in the 2.0 version allows for one process to manage
several simultaneous tunnels, as opposed to the original
one tunnel per process restriction on the 1.x series.

OpenVPN has been ported and embedded to several systems. For example, DD-WRT has the OpenVPN server
function. SoftEther VPN, a multi-protocol VPN server,
has an implementation of OpenVPN protocol.
Private Tunnel VPN is a commercial spin-o of OpenVPN Technologies, a VPN service provider based in the
US that, unusually, charges according to data transferred
rather than per month.[11]

1
1.1

Architecture
Encryption

OpenVPN uses the OpenSSL library to provide


encryption of both the data and control channels. It
lets OpenSSL do all the encryption and authentication
work, allowing OpenVPN to use all the ciphers available
in the OpenSSL package. It can also use the HMAC
packet authentication feature to add an additional layer
of security to the connection (referred to as an HMAC
Firewall by the creator). It can also use hardware
acceleration to get better encryption performance.[12][13]
Support for mbed TLS is available starting from version
2.3.[14]

OpenVPNs use of common network protocols (TCP and


UDP) makes it a desirable alternative to IPsec in situations where an ISP may block specic VPN protocols in
order to force users to subscribe to a higher-priced, business grade, service tier.

When OpenVPN uses Transmission Control Protocol


(TCP) transports to establish a tunnel, performance will
be acceptable only as long as there is sucient excess
1.2 Authentication
bandwidth on the un-tunneled network link to guarantee
OpenVPN has several ways to authenticate peers with that the tunneled TCP timers do not expire. If this beeach other. OpenVPN oers pre-shared keys, certicate- comes untrue, performance falls o dramatically. This is
based, and username/password-based authentication. known as the TCP meltdown problem[18][19]
1

1.4

Security

EDITIONS

2.1 Firmware implementations

OpenVPN oers several internal security features. It


has up to 256-bit encryption through OpenSSL library
although some service providers may oer lower rates
eectively making the connection faster.[20] It runs in
userspace instead of requiring IP stack (therefore kernel)
operation. OpenVPN has the ability to drop root privileges, use mlockall to prevent swapping sensitive data to
disk, enter a chroot jail after initialization and apply a
SELinux context after initialization.

OpenVPN has been integrated into router rmware packages such as Vyatta, pfSense, DD-WRT,[31] OpenWrt[32]
and Tomato,[33][34] allowing users to run OpenVPN in
client or server mode from their network routers. A
router running OpenVPN in client mode, for example,
allows any computer on a network to access a VPN without the need to install OpenVPN. Web sites such as
MyOpenRouter (dedicated to Netgear routers) discuss
new hardware and rmware developments, with much
OpenVPN runs a custom security protocol based on discussion of OpenVPN, active as of December 2016.
SSL and TLS[9] rather than support IKE, IPsec, L2TP OpenVPN has been implemented in some manufacturer
or PPTP. OpenVPN oers support of smart cards via router rmware, such as the D-Link DSR-250[35] and
PKCS#11 based cryptographic tokens.
some MikroTik Routers.[36] MikroTiks implementation
does not support the UDP protocol or LZO compression,
which limits transfer speeds attainable. MikroTik said in
2010 that they would not continue developing OpenVPN
1.5 Extensibility
in favor of SSTP.[37]
OpenVPN can be extended with third-party plugins or
scripts which can be called at dened entry points.[21][22]
The purpose of this is often to extend OpenVPN 2.2 Software implementations
with more advanced logging, enhanced authentication
with username and passwords, dynamic rewall updates, OpenVPN has been integrated into SoftEther VPN, an
RADIUS integration and so on. The plug-ins are dynam- open-source multi-protocol VPN server, to allow users
ically loadable modules, usually written in C, while the connect to the VPN server from existing OpenVPN
scripts interface can execute any scripts or binaries avail- clients.
able to OpenVPN. In the OpenVPN source code[23] there
are some examples of such plug-ins, including a PAM authentication plug-in. Several third party plug-ins also exist to authenticate against LDAP or SQL databases such 3 Editions
as SQLite and MySQL. There is an overview over many
of these extensions in the related project wiki page for the
OpenVPN is available in 2 versions:
OpenVPN community.

Platforms

It is available on Solaris, Linux, OpenBSD, FreeBSD,


NetBSD, QNX, macOS and Windows XP and later.[24]
OpenVPN is available for mobile phone operating systems (OS) including Maemo,[25] Windows Mobile 6.5
and below,[26] iOS 3GS+ devices,[27] jailbroken iOS
3.1.2+ devices,[28] Android 4.0+ devices, and Android
devices that have had the Cyanogenmod aftermarket
rmware ashed[29] or have the correct kernel module
installed.[30] It is not compatible with some mobile phone
OSes, including Palm OS. It is not a web-based VPN
shown as a web page such as Citrix or Terminal Services Web access; the program is installed independently
and congured by editing text les manually, rather than
through a GUI-based wizard. OpenVPN is not compatible with VPN clients that use the IPsec over L2TP
or PPTP protocols. The entire package consists of one
binary for both client and server connections, an optional
conguration le, and one or more key les depending on
the authentication method used.

OpenVPN Community Edition which is an open


source and free version;
OpenVPN Access Server (OpenVPN-AS) is based
on the Community Edition but provides additional
paid and proprietary features like LDAP integration, SMB server, Web UI management and provides a set of installation and conguration tools that
are reported to simplify the rapid deployment of a
VPN remote access solution.[38][39]
The Access Server edition relies heavily on
iptables for load balancing for example; as
such, it has never been available for Windows.
This version is also able to dynamically create
client (OpenVPN Connect) installers which
include a client prole for connecting to a particular Access Server instance.[40] However,
the user does not need to have an Access Server
client in order to connect to the Access Server
instance, the client from the OpenVPN Community Edition can be used.[41]

Community

[3] Downloads. openvpn.net. Retrieved 2 February 2016.


[4] Private Tunnel VPN - Android Apps on Google Play.
[5] Private Tunnel VPN. App Store. 23 October 2014.
[6] How to connect to Access Server from a Linux computer.
[7] FreeBSD Ports Search.
[8] The NetBSD Packages Collection: net/openvpn.
[9] OpenVPN Security Overview. Retrieved 28 September
2011.
[10] LinuxSecurity.com - OpenVPN: An Introduction and Interview with Founder, James Yonan
[11] Andrew Harrison (8 April 2015). Private Tunnel review:
VPN charges only for the data you use. PC Advisor. Retrieved 23 November 2015.

A circa 2005 version of the OpenVPN community logo.

[12] Network security hacks By Andrew Lockhart - Hack #104


- Create a Cross-platform VPN
[13] IPv6 Deployment Guide By 6net - Chapter 5 - Integration

OpenVPN has many support options. The primary


and Transition
method for community support is through the OpenVPN
mailing lists. Other sources of support - not directly af- [14] Overview of changes in OpenVPN v2.3
ChangesInOpenvpn23 - OpenVPN Community
liated with OpenVPN - include:

[15] OpenVPN man page, section TLS Mode Options

OpenConnect, implements a TLS and DTLS-based


VPN

[16] User Centric Media: First International Conference, UCMedia 2009, Venice, Italy, 911 December 2009, Revised Selected Papers By Patros Daras, Oscar Mayora
Ibarra - Scalable IPTV Delivery to Home via VPN - Proposed Scheme

OpenSSH, which also implements a layer-2/3 tun"based VPN

[17] OpenVPN community wiki, IPv6 in OpenVPN - retrieved


8 December 2013

stunnel encrypt any TCP connection (single port service) over SSL

[18] Titz, Olaf (23 April 2001). Why TCP Over TCP Is A
Bad Idea. Retrieved 17 October 2015.

See also

UDP hole punching, a technique for establishing


UDP connections between rewalled/NATed network nodes
Point-to-Point Tunneling Protocol (PPTP) Microsoft method for implementing VPN
Secure Socket Tunneling Protocol (SSTP) Microsoft method for implementing PPP over SSL
VPN
SoftEther VPN, an open-source VPN server program which supports OpenVPN protocol

References

[19] Honda, Osamu; Ohsaki, Hiroyuki; Imase, Makoto;


Ishizuka, Mika; Murayama, Junichi (October 2005).
Understanding TCP over TCP: eects of TCP
tunneling on end-to-end throughput and latency.
doi:10.1117/12.630496. Retrieved 17 October 2015.
[20] VPN Newbie Guide: Picking between OpenVPN, PPTP
and L2TP. vpnpick.com. Retrieved 30 March 2014.
[21] OpenVPN script entry points. Openvpn.net. Retrieved
30 July 2012.
[22] OpenVPN plug-in entry points for C based modules
[23] OpenVPN
example
plug-ins.
vpn.git.sourceforge.net. Retrieved 30 July 2012.

Open-

[24] Downloads. openvpn.net. OpenVPN. Retrieved 6 August 2015.

[1] OpenVPN Change Log - OpenVPN Change Log

[25] OpenVPN Maemo package. Maemo.org. Retrieved 30


July 2012.

[2] https://community.openvpn.net/openvpn/wiki/
ChangesInOpenvpn24

[26] OpenVPN for PocketPC. Ovpnppc.ziggurat29.com. 1


April 2007. Retrieved 30 July 2012.

[27] OpenVPN Connect. OpenVPN Technologies. 16 January 2013. Retrieved 16 January 2013.
[28] GuizmOVPN - OpenVPN GUI for iPhone/iPad. guizmovpn.com. 30 September 2007. Retrieved 30 September 2012.
[29] cyanogen (7 July 2010). CHANGELOG at eclair from
CyanogenMods android_vendor_cyanogen. GitHub.
Retrieved 28 October 2010. Nexus One Cyanogenmod
changelog
[30] How to setup and congure OpenVPN on Android
rooted device | VPN blog is actual information about
VPN. Vpnblog.info. Retrieved 30 July 2012.
[31] dd-wrt.com - OpenVPN
[32] Easy OpenVPN server setup guide - OpenWrt Wiki.
Wiki.openwrt.org. Retrieved 30 July 2012.
[33] TomatoVPN. Tomatovpn.keithmoyer.com. Retrieved
30 July 2012.
[34] LinksysInfo.org VPN build with Web GUI
[35] D-Link - Building Networks for People (PDF).
[36] OpenVPN.
[37] normis, MikroTik Support (26 October 2010). Status
of OpenVPN in RouterOS? - MikroTik RouterOS. Forum.mikrotik.com. Retrieved 28 December 2015.
[38] OpenVPN Product Comparison. Retrieved 2017-0115.
[39] What is OpenVPN Access Server (OpenVPN-AS)?".
Retrieved 2017-01-15.
[40] Regarding chocolatey.org repository Issue #2
wget/chocolatey_package_openvpn.
2017-01-16.
Retrieved 2017-01-16.
[41] Can I use a community OpenVPN client to connect to
the Access Server?". Retrieved 2017-01-16.

External links
OpenVPN project homepage
OpenVPN presentation and demonstration video
Hampshire Linux User Group. Archive.org. details.

EXTERNAL LINKS

Text and image sources, contributors, and licenses

8.1

Text

OpenVPN Source: https://en.wikipedia.org/wiki/OpenVPN?oldid=761485297 Contributors: Bryan Derksen, Pagingmrherman, ZoeB,


Glenn, Jonik, Ehn, Disdero, Bevo, LX, Inter, Karn, Fleminra, AlistairMcMillan, Matt Crypto, PlatinumX, Dfwiki, SURIV, Elektron,
Smokris, Archer3, Pmsyyz, Bender235, Shanes, Sietse Snel, Unquietwiki, Apyule, RoySmith, Schapel, Mr700, Stephan Leeds, Poppafuze, Karnesky, Mindmatrix, Pol098, Crucis, Justin Ormont, Elvey, Bensin, FlaBot, Daderot, Ghen, Intgr, Mattman00000, Alvin-cs,
Ahunt, Jamesyonan, Bgwhite, YurikBot, LiX, Family Guy Guy, KyjL, MMuzammils, Shaddack, Leotohill, GraemeL, SmackBot, TheBilly, Wlindley, Binarypower, Carpetsmoker, Thumperward, EncMstr, PersistentLurker, Deli nk, DHN-bot~enwiki, Jdthood, Ivankb,
Frap, JonHarder, Jmnbatista, Albertalbs, Guyjohnston, Nmav, Antonielly, Larrymcp, Fmusinguzi, Dautranhsinhton, TiagoPereira, Webash, Phatom87, AndrewHowse, Teratornis, Scarpy, JamesAM, Neil916, Boris Friedrichs~enwiki, Seaphoto, MaTT~enwiki, Isilanes,
JAnDbot, NapoliRoma, Barek, Magioladitis, Marycontrary, Gonzopancho, CommonsDelinker, Robertducon, Idioma-bot, Lexein, Ggeller,
TXiKiBoT, Alonbl, Rjgodoy, Enviroboy, Kbrose, Coj, Nubiatech, VVVBot, Wilhelmina clemenso, Cintema, Rafesq, Autumn Wind,
HighInBC, Joseluisfb, Boirun03, Ecrist, Plat'Home, Niceguyedc, PixelBot, Garing, XLinkBot, Alanthehat, Addbot, Innv, MrOllie, Jasper
Deng, Mlpotgieter, Zorrobot, Luckas-bot, Yobot, Kikbguy, Gtz, Efa, Xqbot, PabloCastellano, Klisanor, Kevinzhouyan, Wget, Cvandeplas,
GutoCarvalho, FrescoBot, Hexauoride, Jonesey95, Smeago, Alainamedeus, Boobarkee, Jandalhandler, Andreystrelkov, FoxBot, Wzyboy,
Plaisthos, EugeneKay, Ripchip Bot, Lopifalko, Steve03Mills, Imcon, Dewritech, Dcirovic, Aavindraa, GuizmOVPN, Sbmeirow, Daiyuu,
Karthik.upadhyayula, ClueBot NG, Jbekkema, Sabroadley, Delusion23, Cntras, Thelle, Same0, BG19bot, Wikingtubby, Christophocles,
Hz.tiang, Amiramix, Rancher 42, Irulet, Kristian.luck, ChrisGualtieri, Dexbot, Xauen~enwiki, Tsepty, MartinMichlmayr, AndyLim091,
ColdPie, SolarStarSpire, Deedsnance, Epater, Jodosma, Pokechu22, Theklun, Kind Tennis Fan, UY Scuti, Rashob, Rashoba, Tobmaster1985, Mrmattu, Paulinemoore111, , TheHoster, KH-1, Reviewstime, Fipevpn, Proxysp,
, Inivano1, Supdiop,
JJMC89, Mr.hmm, Bgarv7, Packt Publishing, Odeskavita, Bender the Bot and Anonymous: 209

8.2

Images

File:Crypto_key.svg Source: https://upload.wikimedia.org/wikipedia/commons/6/65/Crypto_key.svg License: CC-BY-SA-3.0 Contributors: Own work based on image:Key-crypto-sideways.png by MisterMatt originally from English Wikipedia Original artist: MesserWoland
File:Free_and_open-source_software_logo_(2009).svg Source: https://upload.wikimedia.org/wikipedia/commons/3/31/Free_and_
open-source_software_logo_%282009%29.svg License: Public domain Contributors: FOSS Logo.svg Original artist: Free Software Portal
Logo.svg (FOSS Logo.svg): ViperSnake151
File:OpenVPN_logo_whirl.jpg Source: https://upload.wikimedia.org/wikipedia/commons/5/5c/OpenVPN_logo_whirl.jpg License:
CC-BY-SA-3.0 Contributors: ? Original artist: ?
File:Ovpntech_logo-s_REVISED.png Source: https://upload.wikimedia.org/wikipedia/commons/8/88/Ovpntech_logo-s_REVISED.
png License: CC BY-SA 3.0 Contributors: OpenVPN logos and icons
http://openvpn.net/index.php/miscellaneous/473-openvpn-logos-and-icons.html Original artist: OpenVPN Technologies, Inc.
File:Question_book-new.svg Source: https://upload.wikimedia.org/wikipedia/en/9/99/Question_book-new.svg License: Cc-by-sa-3.0
Contributors:
Created from scratch in Adobe Illustrator. Based on Image:Question book.png created by User:Equazcion Original artist:
Tkgd2007

8.3

Content license

Creative Commons Attribution-Share Alike 3.0