Advantages and History of OpenVPNAhren Stevens-Taylor
Advantages of OpenVPN
With the advent of OpenVPN a new generation of VPN entered the scene. While other VPN solutions often use proprietary or non-standard mechanisms, OpenVPN has a modular concept, both for underlying security and for networking. OpenVPN uses the secure, stable, and lauded SSL/TLS mechanisms and combines them in its own reliability layer. It does not suffer from the complexity that characterizes other VPN implementations like the market leader IPsec. At the same time, it offers possibilities that go beyond every other VPN implementation’s scope.
- Layer 2 and Layer 3 VPN: OpenVPN offers two basic modes, which run either as Layer 2 or Layer 3 VPN. Thus, OpenVPN tunnels on Layer 2 can also transport Ethernet frames, IPX packets, and Windows Network Browsing packets (NETBIOS), all of which are problems in most other VPN solutions.
- Protecting field workers with the internal firewall: A field worker connected to the central branch of their company with a VPN tunnel can change the network setup on their laptop so that all of their network traffic is sent through the tunnel. Once OpenVPN has established a tunnel, the central firewall in the company’s central branch can protect the laptop, even though it is not a local machine. Only one network port must be opened to the local (customers’) network by the field worker. The employee is protected by the central firewall whenever he is connected to the VPN. Even better, the administrator of the central VPN server can force the client to use the central firewall by imposing configuration options on the clients.
- OpenVPN connections can be tunneled through almost every firewall and proxy: If you have Internet access and can access HTTPS web sites, then OpenVPN tunnels should work. Setups where OpenVPN tunnels are banned are very rare. OpenVPN has full proxy support including authentication.
- Server and client mode, UDP and TCP support: OpenVPN can be configured to run as a TCP or UDP service and as a server or client. As a server, OpenVPN simply waits until a client requests a connection, whereas a client establishes a connection according to its configuration. A server on the Internet can be completely shut down from any other machine except the ones in its virtual private network, which extends the security level of such systems enormously.
- Only one port in the firewall must be opened to allow incoming connections: Since OpenVPN 2.0, the special server mode allows multiple incoming connections on the same TCP or UDP port, while still using different configurations for every single connection.
- No problems with NAT: Both OpenVPN server and clients can be within a network using only private IP addresses. Every firewall can be used to send the tunnel traffic to the other tunnel endpoint.
- Virtual interfaces allow flexible very specific networking and almost every imaginable firewall rule: All restrictions, mechanisms like forwarding, and concepts like NAT (Network Address Translation) or package mangling (changing the metadata of network datagrams, like some firewalls do) can be used with and within OpenVPN tunnels. Any IP Protocol is possible. Yes, you can tunnel VPNs, like IPsec, inside an OpenVPN tunnel.
- High flexibility with extensive scripting possibilities: OpenVPN offers numerous points during connection setup to start individual scripts. These scripts can be used for a great variety of purposes from authentication to failover and more.
- Transparent, high-performance support for dynamic IPs: By using OpenVPN, there is no longer a need to use expensive, static IPs on either side of the tunnel. Both tunnel endpoints can have cheap DSL access with dynamic IPs. The users will rarely notice a change of IP on either side, Windows Terminal Server and Secure Shell (SSH) sessions will only seem to hang for few seconds, but they will not terminate and will carry on with the action requested after a short pause. All traffic can be compressed through the LZO library and OpenVPN continuously checks if the compression has been successful. So-called adaptive compression merely ‘zips’ the uncompressed data to avoid unnecessary overhead.
- Simple installation on any platform: Both installation and use are incredibly simple. Especially, if you have tried to set up IPsec connections with different implementations, you will find OpenVPN appealing.
- Modular Design: The modular design with a high degree of simplicity both in security and networking is outstanding. No other VPN solution can offer the same options at this level of security.
- Support for mobile and embedded: More and more mobile devices are supported. Packages for Windows Mobile and Nokia’s Maemo platform, and embedded operating systems like OpenWrt/FreeWrt have all been provided for recently, and there are many others in development.
- Very active community: OpenVPN has acquired a huge amount of fans in the last few years. There are installations with high volume users with high availability.
History of OpenVPN
According to an interview on http://linuxsecurity.com published in 2003, James Yonan was traveling in Central Asia in the days prior to September 11, 2001 and connecting to his office over Asian or Russian Internet Providers.
The fact that these connections were established over servers in countries with very dubious security made him more and more aware of and concerned about security issues. His research revealed that there were two main streams in VPN technology, one promoting security, and the other usability. None of the solutions available at that time offered an ideal blend of both objectives. IPsec and all of its implementations were difficult to set up, but offered acceptable security. However, its complex structure made it vulnerable to attacks, bugs, and security flaws. Therefore, the networking approach Yonan found in some of the usability camp’s solutions seemed to make more sense to him, leading him to a modular networking model using the TUN/TAP virtual networking devices that are provided by the Linux kernel.
After some study of the open source VPN field, my conclusion was that the ‘usability first’ camp had the right ideas about networking and inter-network tunneling, and the SSH, SSL/TLS, and IPSec camps had the appropriate level of seriousness toward the deep crypto issues. This was the basic conceptual starting point for my work on OpenVPN.
James Yonan in a LinuxSecurity.com interview on November 10, 2003. (http://www.linuxsecurity.com/content/view/117363/49/)
Choosing the TUN/TAP devices as a networking model immediately offered a flexibility that other VPN solutions could not offer. While other SSL/TLS-based VPN solutions needed a browser to establish connections, OpenVPN would prepare almost real (but still virtual) network devices, on which almost all networking activities can be carried out.
Yonan then chose the name OpenVPN with respect to the libraries and programs of the OpenSSL project and because of the clear message that this is open source and free software.