OpenVPN
Original author(s) | James Yonan |
---|---|
Developer(s) | OpenVPN project / OpenVPN Technologies, Inc. |
Initial release | 0.90 / 13 May 2001[1] |
Stable release | 2.3.14 [2] (7 December 2016 ) [±] |
Preview release | 2.x (Git HEAD) (Every Sunday 05:00 UTC Main Mirror) [±] |
Repository |
sourceforge |
Written in | C |
Platform |
Windows (XP or later)[3] OS X (10.8 or later) Android (4.0 or later)[4] iOS (6.0 or later)[5] Linux[6] *BSD[7][8] |
Type | VPN |
License | GNU GPL |
Website |
openvpn |
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol[9] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).[10]
OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.
OpenVPN has been ported and embedded to several systems. For example, DD-WRT has the OpenVPN server function. SoftEther VPN, a multi-protocol VPN server, has an implementation of OpenVPN protocol.
Private Tunnel VPN is a commercial spin-off of OpenVPN Technologies, a VPN service provider based in the US that, unusually, charges according to data transferred rather than per month.[11]
Architecture
Encryption
OpenVPN uses the OpenSSL library to provide encryption of both the data and control channels. It lets OpenSSL do all the encryption and authentication work, allowing OpenVPN to use all the ciphers available in the OpenSSL package. It can also use the HMAC packet authentication feature to add an additional layer of security to the connection (referred to as an "HMAC Firewall" by the creator). It can also use hardware acceleration to get better encryption performance.[12][13] Support for mbed TLS is available starting from version 2.3.[14]
Authentication
OpenVPN has several ways to authenticate peers with each other. OpenVPN offers pre-shared keys, certificate-based, and username/password-based authentication. Preshared secret key is the easiest, with certificate based being the most robust and feature-rich. In version 2.0 username/password authentications can be enabled, both with or without certificates. However to make use of username/password authentications, OpenVPN depends on third-party modules. See the Extensibility paragraph for more info.
Networking
OpenVPN can run over User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) transports, multiplexing created SSL tunnels on a single TCP/UDP port[15] (RFC 3948 for UDP).[16] From 2.3.x series on, OpenVPN fully supports IPv6 as protocol of the virtual network inside a tunnel and the OpenVPN applications can also establish connections via IPv6.[17] It has the ability to work through most proxy servers (including HTTP) and is good at working through Network address translation (NAT) and getting out through firewalls. The server configuration has the ability to "push" certain network configuration options to the clients. These include IP addresses, routing commands, and a few connection options. OpenVPN offers two types of interfaces for networking via the Universal TUN/TAP driver. It can create either a layer-3 based IP tunnel (TUN), or a layer-2 based Ethernet TAP that can carry any type of Ethernet traffic. OpenVPN can optionally use the LZO compression library to compress the data stream. Port 1194 is the official IANA assigned port number for OpenVPN. Newer versions of the program now default to that port. A feature in the 2.0 version allows for one process to manage several simultaneous tunnels, as opposed to the original "one tunnel per process" restriction on the 1.x series.
OpenVPN's use of common network protocols (TCP and UDP) makes it a desirable alternative to IPsec in situations where an ISP may block specific VPN protocols in order to force users to subscribe to a higher-priced, "business grade," service tier.
When OpenVPN uses Transmission Control Protocol (TCP) transports to establish a tunnel, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically. This is known as the "TCP meltdown problem"[18][19]
Security
OpenVPN offers several internal security features. It has up to 256-bit Encryption through OpenSSL library although some service providers may offer lower rates effectively making the connection faster.[20] It runs in userspace, instead of requiring IP stack (and therefore kernel) operation. OpenVPN has the ability to drop root privileges, use mlockall to prevent swapping sensitive data to disk, enter a chroot jail after initialization and apply a SELinux context after initialization.
OpenVPN runs a custom security protocol based on SSL and TLS[9] rather than support IKE, IPsec, L2TP or PPTP. OpenVPN offers support of smart cards via PKCS#11 based cryptographic tokens.
Extensibility
OpenVPN can be extended with third-party plug-ins or scripts which can be called at defined entry points.[21][22] The purpose of this is often to extend OpenVPN with more advanced logging, enhanced authentication with username and passwords, dynamic firewall updates, RADIUS integration and so on. The plug-ins are dynamically loadable modules, usually written in C, while the scripts interface can execute any scripts or binaries available to OpenVPN. In the OpenVPN source code[23] there are some examples of such plug-ins, including a PAM authentication plug-in. Several third party plug-ins also exist to authenticate against LDAP or SQL databases such as SQLite and MySQL. There is an overview over many of these extensions in the related project wiki page for the OpenVPN community.
Platforms
It is available on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX, Mac OS X, and Windows XP and later.[24] OpenVPN is available for mobile phone operating systems (OS) including Maemo,[25] Windows Mobile 6.5 and below,[26] iOS 3GS+ devices,[27] jailbroken iOS 3.1.2+ devices,[28] Android 4.0+ devices, and Android devices that have had the Cyanogenmod aftermarket firmware flashed[29] or have the correct kernel module installed.[30] It is not compatible with some mobile phone OSes, including Palm OS. It is not a "web-based" VPN shown as a web page such as Citrix or Terminal Services Web access; the program is installed independently and configured by editing text files manually, rather than through a GUI-based wizard. OpenVPN is not compatible with VPN clients that use the IPsec over L2TP or PPTP protocols. The entire package consists of one binary for both client and server connections, an optional configuration file, and one or more key files depending on the authentication method used.
Firmware implementations
OpenVPN has been integrated into router firmware packages such as Vyatta, pfSense, DD-WRT,[31] OpenWrt[32] and Tomato,[33][34] allowing users to run OpenVPN in client or server mode from their network routers. A router running OpenVPN in client mode, for example, allows any computer on a network to access a VPN without the need to install OpenVPN. Web sites such as MyOpenRouter (dedicated to Netgear routers) discuss new hardware and firmware developments, with much discussion of OpenVPN, active as of December 2015.
Firmware Package | Cost | Developer | Link |
---|---|---|---|
DD-WRT | Free | NewMedia-NET GmbH | dd-wrt.com |
IPFire | Free | Community driven development | ipfire.org |
OpenWRT | Free | Community driven development | OpenWRT.org |
pfSense | Free | Rubicon Communications, LLC (Netgate) | pfsense.org |
Untangle | Free | Untangle, Inc. | Untangle.com |
Tomato | Free | Keith Moyer | tomatovpn.keithmoyer.com |
OpenVPN has been implemented in some manufacturer router firmware, such as the D-Link DSR-250[35] and some MikroTik Routers.[36] MikroTik's implementation does not support the UDP protocol or LZO compression, which limits transfer speeds attainable. MikroTik said in 2010 that they would not continue developing OpenVPN in favor of SSTP.[37]
Software implementations
OpenVPN has been integrated into SoftEther VPN, an open-source multi-protocol VPN server, to allow users connect to the VPN server from existing OpenVPN clients.
Community
OpenVPN has many support options. The primary method for community support is through the OpenVPN mailing lists. Other sources of support - not directly affiliated with OpenVPN - include:
Support Source | Description |
---|---|
OpenVPN Documentation | 2.0 Manual 2.1 Manual 2.2 Manual 2.3 Manual |
IRC | #openvpn connect on irc.freenode.net |
Forum | Official OpenVPN forums |
Community | Official OpenVPN wiki/bug tracker OpenVPN e.V. community Secure Computing Networks OpenVPN Wiki |
See also
- OpenConnect, implements a TLS and DTLS-based VPN
- OpenSSH, which also implements a layer-2/3 "tun"-based VPN
- stunnel encrypt any TCP connection (single port service) over SSL
- UDP hole punching, a technique for establishing UDP "connections" between firewalled/NATed network nodes
- Point-to-Point Tunneling Protocol (PPTP) Microsoft method for implementing VPN
- Secure Socket Tunneling Protocol (SSTP) Microsoft method for implementing PPP over SSL VPN
- SoftEther VPN, an open-source VPN server program which supports OpenVPN protocol
References
- ↑ OpenVPN Change Log - OpenVPN Change Log
- ↑ https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
- ↑ "Downloads". openvpn.net. Retrieved 2 February 2016.
- ↑ "Private Tunnel VPN - Android Apps on Google Play".
- ↑ "Private Tunnel VPN". App Store. 23 October 2014.
- ↑ "How to connect to Access Server from a Linux computer".
- ↑ "FreeBSD Ports Search".
- ↑ "The NetBSD Packages Collection: net/openvpn".
- 1 2 "OpenVPN Security Overview". Retrieved 28 September 2011.
- ↑ LinuxSecurity.com - OpenVPN: An Introduction and Interview with Founder, James Yonan
- ↑ Andrew Harrison (8 April 2015). "Private Tunnel review: VPN charges only for the data you use". PC Advisor. Retrieved 23 November 2015.
- ↑ Network security hacks By Andrew Lockhart - Hack #104 - Create a Cross-platform VPN
- ↑ IPv6 Deployment Guide By 6net - Chapter 5 - Integration and Transition
- ↑ Overview of changes in OpenVPN v2.3 - ChangesInOpenvpn23 - OpenVPN Community
- ↑ OpenVPN man page, section "TLS Mode Options"
- ↑ User Centric Media: First International Conference, UCMedia 2009, Venice, Italy, 9–11 December 2009, Revised Selected Papers By Patros Daras, Oscar Mayora Ibarra - Scalable IPTV Delivery to Home via VPN - Proposed Scheme
- ↑ OpenVPN community wiki, IPv6 in OpenVPN - retrieved 8 December 2013
- ↑ Titz, Olaf (23 April 2001). "Why TCP Over TCP Is A Bad Idea". Retrieved 17 October 2015.
- ↑ Honda, Osamu; Ohsaki, Hiroyuki; Imase, Makoto; Ishizuka, Mika; Murayama, Junichi (October 2005). "Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency". doi:10.1117/12.630496. Retrieved 17 October 2015.
- ↑ "VPN Newbie Guide: Picking between OpenVPN, PPTP and L2TP". vpnpick.com. Retrieved 30 March 2014.
- ↑ "OpenVPN script entry points". Openvpn.net. Retrieved 30 July 2012.
- ↑ OpenVPN plug-in entry points for C based modules
- ↑ "OpenVPN example plug-ins". Openvpn.git.sourceforge.net. Retrieved 30 July 2012.
- ↑ "Downloads". openvpn.net. OpenVPN. Retrieved 6 August 2015.
- ↑ "OpenVPN Maemo package". Maemo.org. Retrieved 30 July 2012.
- ↑ "OpenVPN for PocketPC". Ovpnppc.ziggurat29.com. 1 April 2007. Retrieved 30 July 2012.
- ↑ "OpenVPN Connect". OpenVPN Technologies. 16 January 2013. Retrieved 16 January 2013.
- ↑ "GuizmOVPN - OpenVPN GUI for iPhone/iPad". guizmovpn.com. 30 September 2007. Retrieved 30 September 2012.
- ↑ cyanogen (7 July 2010). "CHANGELOG at eclair from CyanogenMod's android_vendor_cyanogen". GitHub. Retrieved 28 October 2010. Nexus One Cyanogenmod changelog
- ↑ "How to setup and configure OpenVPN on Android rooted device | VPN blog is actual information about VPN". Vpnblog.info. Retrieved 30 July 2012.
- ↑ dd-wrt.com - OpenVPN
- ↑ "Easy OpenVPN server setup guide - OpenWrt Wiki". Wiki.openwrt.org. Retrieved 30 July 2012.
- ↑ "TomatoVPN". Tomatovpn.keithmoyer.com. Retrieved 30 July 2012.
- ↑ LinksysInfo.org – VPN build with Web GUI
- ↑ "D-Link - Building Networks for People" (PDF).
- ↑ "OpenVPN".
- ↑ normis, MikroTik Support (26 October 2010). "Status of OpenVPN in RouterOS? - MikroTik RouterOS". Forum.mikrotik.com. Retrieved 28 December 2015.
External links
- OpenVPN project homepage
- OpenVPN presentation and demonstration video Hampshire Linux User Group. Archive.org. details.