OpenVPN

Last updated

OpenVPN
Original author(s) James Yonan
Developer(s) OpenVPN project / OpenVPN Inc.
Initial release13 May 2001;23 years ago (2001-05-13) [1]
Stable release 2.6.12 [2] (18 July 2024;2 months ago (2024-07-18)) [±]
Repository
Written in C
Platform
Type VPN
License GNU GPLv2 [10]
Website openvpn.net   OOjs UI icon edit-ltr-progressive.svg

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

Contents

OpenVPN allows peers to authenticate each other using pre-shared secret keys, certificates or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signatures and certificate authority.

It uses the OpenSSL encryption library extensively, as well as the TLS protocol, and contains many security and control features. It uses a custom security protocol [11] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.[ citation needed ]

OpenVPN has been ported and embedded to several systems. For example, DD-WRT has the OpenVPN server function. SoftEther VPN, a multi-protocol VPN server, also has an implementation of OpenVPN protocol. [12]

It was written by James Yonan and is free software, released under the terms of the GNU General Public License version 2 (GPLv2). [13] Additionally, commercial licenses are available. [14]

Architecture

Encryption

OpenVPN uses the OpenSSL library to provide encryption of both the data and control channels. It lets OpenSSL do all the encryption and authentication work, allowing OpenVPN to use all the ciphers available in the OpenSSL package. It can also use the HMAC packet authentication feature to add an additional layer of security to the connection (referred to as an "HMAC Firewall" by the creator). It can also use hardware acceleration to get better encryption performance. [15] [16] Support for mbed TLS is available starting from version 2.3. [17]

Authentication

OpenVPN has several ways to authenticate peers with each other. OpenVPN offers pre-shared keys, certificate-based, and username/password-based authentication. Preshared secret key is the easiest, and certificate-based is the most robust and feature-rich.[ citation needed ] In version 2.0 username/password authentications can be enabled, both with or without certificates. However, to make use of username/password authentications, OpenVPN depends on third-party modules.[ citation needed ]

Networking

OpenVPN can run over User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) transports, multiplexing created SSL tunnels on a single TCP/UDP port [18] (RFC 3948 for UDP). [19]

From 2.3.x series on, OpenVPN fully supports IPv6 as protocol of the virtual network inside a tunnel and the OpenVPN applications can also establish connections via IPv6. [20] It has the ability to work through most proxy servers (including HTTP) and is good at working through network address translation (NAT) and getting out through firewalls. The server configuration has the ability to "push" certain network configuration options to the clients. These include IP addresses, routing commands, and a few connection options. OpenVPN offers two types of interfaces for networking via the Universal TUN/TAP driver. It can create either a layer-3 based IP tunnel (TUN), or a layer-2 based Ethernet TAP that can carry any type of Ethernet traffic. OpenVPN can optionally use the LZO compression library to compress the data stream. Port 1194 is the official IANA assigned port number for OpenVPN. Newer versions of the program now default to that port. A feature in the 2.0 version allows for one process to manage several simultaneous tunnels, as opposed to the original "one tunnel per process" restriction on the 1.x series.

OpenVPN's use of common network protocols (TCP and UDP) makes it a desirable alternative to IPsec in situations where an ISP may block specific VPN protocols in order to force users to subscribe to a higher-priced, "business grade" service tier. For example, Comcast previously declared that their @Home product was, and had always been, designated as a residential service and did not allow the use of commercial applications. Their argument was that conducting remote work via a VPN can adversely affect the network performance of their regular residential subscribers. They offered an alternative, @Home Professional, this would cost more than @Home product. So, anyone wishing to use VPN would have to subscribe to higher-priced, business-grade service tier. [21]

When OpenVPN uses Transmission Control Protocol (TCP) transports to establish a tunnel, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. [22] If this becomes untrue, performance falls off dramatically due to the TCP meltdown problem. [23] [24]

Security

OpenVPN offers various internal security features. It has up to 256-bit encryption through the OpenSSL library, although some service providers may offer lower rates, effectively providing some of the fastest VPN available to consumers. OpenVPN also supports Perfect Forward Secrecy (PFS), which regenerates encryption keys at set intervals, ensuring that even if one key is compromised, previous and future data remains secure. Additionally, OpenVPN can be configured with various encryption ciphers, such as ChaCha20 and AES-256. [25] It runs in userspace instead of requiring IP stack (therefore kernel) operation. OpenVPN has the ability to drop root privileges, use mlockall to prevent swapping sensitive data to disk, enter a chroot jail after initialization, and apply a SELinux context after initialization.

OpenVPN runs a custom security protocol based on SSL and TLS, [11] rather than supporting IKE, IPsec, L2TP or PPTP.

OpenVPN offers support of smart cards via PKCS#11-based cryptographic tokens.

Extensibility

OpenVPN can be extended with third-party plug-ins or scripts, which can be called at defined entry points. [26] [27] The purpose of this is often to extend OpenVPN with more advanced logging, enhanced authentication with username and passwords, dynamic firewall updates, RADIUS integration and so on. The plug-ins are dynamically loadable modules, usually written in C, while the scripts interface can execute any scripts or binaries available to OpenVPN. In the OpenVPN source code [28] there are some examples of such plug-ins, including a PAM authentication plug-in. Several third-party plug-ins also exist to authenticate against LDAP or SQL databases such as SQLite and MySQL. [29]

OpenVPN header format
Offsets Octet 0123
Octet Bit 012345678910111213141516171819202122232425262728293031
00OpcodeKeyIDSession ID
432Session ID
864Session IDHMAC
1296HMAC
24192
28224HMACPacket ID
32256Packet IDNet Time
36288Net TimeMsg Array LenMessage Packet ID #

Platforms

It is available on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX, macOS and Windows XP and later. [30] OpenVPN is available for mobile operating systems including Maemo, [31] Windows Mobile 6.5 and below, [32] iOS 3GS+ devices, [33] jailbroken iOS 3.1.2+ devices, [34] Android 4.0+ devices, and Android devices that have had the Cyanogenmod aftermarket firmware flashed [35] or have the correct kernel module installed. [36] It is not compatible with some mobile phone OSes, including Palm OS. It is not a "web-based" VPN shown as a web page such as Citrix or Terminal Services Web access; the program is installed independently and configured by editing text files manually, rather than through a GUI-based wizard. OpenVPN is not compatible with VPN clients that use the IPsec over L2TP or PPTP protocols. The entire package consists of one binary for both client and server connections, an optional configuration file, and one or more key files depending on the authentication method used.

Firmware implementations

OpenVPN has been integrated into several router firmware packages allowing users to run OpenVPN in client or server mode from their network routers. A router running OpenVPN in client mode, for example, allows any device on a network to access a VPN without needing the capability to install OpenVPN.

Notable firmware packages with OpenVPN integration include:

Notable firmware packages with OpenVPN integration
Firmware packageCostDeveloperReferences
DD-WRT FreeNewMedia-NET GmbH [37]
Gargoyle FreeEric Bishop [38]
OpenWrt FreeCommunity driven development [39]
OPNsense FreeDeciso BV [40]
pfSense FreeRubicon Communications, LLC (Netgate)
Tomato FreeKeith Moyer [41] [42]

OpenVPN has also been implemented in some manufacturer router firmware.

Software implementations

OpenVPN has been integrated into SoftEther VPN, an open-source multi-protocol VPN server, to allow users to connect to the VPN server from existing OpenVPN clients.

OpenVPN is also integrated into Vyos, an open-source routing operating system forked from the Vyatta software router.

Licensing

OpenVPN is available in two versions:

See also

Related Research Articles

The Secure Shell (SSH) Protocol is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data connections between the client and the server. FTP users may authenticate themselves with a plain-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

Virtual private network (VPN) is a network architecture for virtually extending a private network across one or multiple other networks which are either untrusted or need to be isolated.

The Point-to-Point Tunneling Protocol (PPTP) is an obsolete method for implementing virtual private networks. PPTP has many well known security issues.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into IEEE 802 and IETF standards.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity as well as authenticate itself to the connecting entity by declaring the type of information needed for authentication as well as syntax. It is the most important layer of protection needed for secure communication within computer networks.

netcat Computer networking utility

netcat is a computer networking utility for reading from and writing to network connections using TCP or UDP. The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of connection its user could need and has a number of built-in capabilities.

FTPS is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and, formerly, the Secure Sockets Layer cryptographic protocols.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It can, for example, allow private network communications to be sent across a public network, or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport—the application does not suffer from the delays associated with stream protocols, but because it uses User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP), the application has to deal with packet reordering, loss of datagram and data larger than the size of a datagram network packet. Because DTLS uses UDP or SCTP rather than TCP it avoids the TCP meltdown problem when being used to create a VPN tunnel.

In computer networking, Secure Socket Tunneling Protocol (SSTP) is a form of virtual private network (VPN) tunnel that provides a mechanism to transport Point-to-Point Protocol (PPP) traffic through an SSL/TLS channel.

In computing, Microsoft's Windows Vista and Windows Server 2008 introduced in 2007/2008 a new networking stack named Next Generation TCP/IP stack, to improve on the previous stack in several ways. The stack includes native implementation of IPv6, as well as a complete overhaul of IPv4. The new TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after a change in settings. The new stack, implemented as a dual-stack model, depends on a strong host-model and features an infrastructure to enable more modular components that one can dynamically insert and remove.

University of Tsukuba Virtual Private Network, UT-VPN is a free and open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses SSL/TLS security for encryption and is capable of traversing network address translators (NATs) and firewalls. It was written by Daiyuu Nobori and SoftEther Corporation, and is published under the GNU General Public License (GPL) by University of Tsukuba.

OpenConnect is a free and open-source cross-platform multi-protocol virtual private network (VPN) client software which implement secure point-to-point connections.

<span class="mw-page-title-main">SoftEther VPN</span> Open-source VPN client and server software

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

The Internet Assigned Numbers Authority (IANA) officially assigned TCP port 4604 to the Identity Registration Protocol (IRP) created by Sixscape Communications, Pte. Ltd. The assignment was issued by IANA on 17 March 2014, and is listed in the official IANA resource registry.

References

  1. OpenVPN Change Log - OpenVPN Release Notes
  2. "Community Downloads". openvpn.net. Retrieved 20 June 2024.
  3. "Downloads". openvpn.net. Retrieved 27 January 2023.
  4. "Private Tunnel VPN - Android Apps on Google Play".
  5. "Private Tunnel VPN". App Store. 23 October 2014.
  6. "How to connect to Access Server from a Linux computer".
  7. "FreeBSD Ports Search".
  8. "OpenBSD Ports".
  9. "The NetBSD Packages Collection: net/openvpn".
  10. "openvpn_COPYING at master · OpenVPN_openvpn". GitHub . 30 July 2019. Archived from the original on 31 July 2019. Retrieved 30 July 2019.
  11. 1 2 "OpenVPN Security Overview" . Retrieved 28 September 2011.
  12. Bischoff, Paul (31 August 2018). "6 open source tools for making your own VPN". Opensource.com . Archived from the original on 31 August 2018. Retrieved 30 July 2019.
  13. LinuxSecurity.com - OpenVPN: An Introduction and Interview with Founder, James Yonan
  14. openvpn.net: Pricing, retrieved 12 December 2018
  15. Andrew Lockhart (2006). Network Security Hacks: Tips & Tools for Protecting Your Privacy. "O'Reilly Media, Inc.". p. 339. ISBN   978-0-596-55143-8.
  16. 6net (2008). IPv6 Deployment Guide. Javvin Technologies Inc. p. 109. ISBN   978-1-60267-005-1.{{cite book}}: CS1 maint: numeric names: authors list (link)
  17. Overview of changes in OpenVPN v2.3 - ChangesInOpenvpn23 - OpenVPN Community
  18. OpenVPN man page, section "TLS Mode Options"
  19. Petros Daras; Oscar Mayora (2013). User Centric Media: First International Conference, UCMedia 2009, Venice, Italy, December 9-11, 2009, Revised Selected Papers. Springer Science & Business Media. p. 239. ISBN   978-3-642-12629-1.
  20. OpenVPN community wiki, IPv6 in OpenVPN - retrieved 8 December 2013
  21. "OpenVPN VPN Protocol". privacyhq.com. Retrieved 24 June 2021.
  22. Murray, Mike (20 March 2021). "OPENVPN MTU: Finding The Correct Settings". The Geek Pub. Archived from the original on 20 March 2021. Retrieved 20 July 2022.
  23. Titz, Olaf (23 April 2001). "Why TCP Over TCP Is A Bad Idea" . Retrieved 17 October 2015.
  24. Honda, Osamu; Ohsaki, Hiroyuki; Imase, Makoto; Ishizuka, Mika; Murayama, Junichi (October 2005). "Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency". In Atiquzzaman, Mohammed; Balandin, Sergey I. (eds.). Performance, Quality of Service, and Control of Next-Generation Communication and Sensor Networks III. Vol. 6011. Bibcode:2005SPIE.6011..138H. CiteSeerX   10.1.1.78.5815 . doi:10.1117/12.630496. S2CID   8945952.
  25. "OpenVPN explained: Definition, how it works, and safety | NordVPN". nordvpn.com (in German). 29 November 2023. Retrieved 10 September 2024.
  26. "OpenVPN script entry points". Openvpn.net. Retrieved 30 July 2012.
  27. OpenVPN plug-in entry points for C based modules.
  28. "OpenVPN example plug-ins". Openvpn.git.sourceforge.net. Retrieved 30 July 2012.
  29. OpenVPN Community Wiki - Related Projects
  30. "Downloads". openvpn.net. OpenVPN. Retrieved 6 August 2015.
  31. "OpenVPN Maemo package". Maemo.org. Retrieved 30 July 2012.
  32. "OpenVPN for PocketPC". Ovpnppc.ziggurat29.com. 1 April 2007. Retrieved 30 July 2012.
  33. "OpenVPN Connect". OpenVPN Technologies. 16 January 2013. Retrieved 16 January 2013.
  34. "GuizmOVPN - OpenVPN GUI for iPhone/iPad". guizmovpn.com. 30 September 2007. Retrieved 30 September 2012.
  35. "CHANGELOG at eclair from CyanogenMod's android_vendor_cyanogen". GitHub . cyanogen. 7 July 2010. Retrieved 28 October 2010. Nexus One Cyanogenmod changelog
  36. "How to setup and configure OpenVPN on Android rooted device | VPN blog is actual information about VPN". Vpnblog.info. Archived from the original on 26 May 2011.
  37. dd-wrt.com - OpenVPN
  38. Gargoyle Wiki - OpenVPN
  39. "OpenVPN - OpenWrt Wiki". openwrt.org. Retrieved 11 June 2018.
  40. "opnsense.org - OPNsense 17.1 Release Announcement".
  41. "TomatoVPN". Tomatovpn.keithmoyer.com. Retrieved 30 July 2012.
  42. LinksysInfo.org – VPN build with Web GUI
  43. "OpenVPN Product Comparison" . Retrieved 15 January 2017.
  44. "What is OpenVPN Access Server (OpenVPN-AS)?" . Retrieved 15 January 2017.
  45. "Regarding chocolatey.org repository · Issue #2 · wget/chocolatey_package_openvpn". GitHub . 16 January 2017. Retrieved 16 January 2017.
  46. "Can I use a community OpenVPN client to connect to the Access Server?" . Retrieved 16 January 2017.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.