OpenVPN

OpenVPN

Original author(s)	James Yonan
Developer(s)	OpenVPN project / OpenVPN Technologies, Inc.
Initial release	1.1.0 / April 10, 2002; 11 years ago (2002-04-10)[1]
Stable release	2.3.1 (March 29, 2013 (2013-03-29)) [±]
Preview release	2.x (Git HEAD) (Every Sunday 05:00 GMT -5 Main Mirror) [±]
Platform	Cross-platform
Type	VPN
License	GNU GPL
Website	openvpn.net/index.php/open-source.html

OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol^[2] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).^[3]

OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.

Architecture

Encryption

OpenVPN uses the OpenSSL library to provide encryption of both the data and control channels. It lets OpenSSL do all the encryption and authentication work, allowing OpenVPN to use all the ciphers available in the OpenSSL package. It can also use the HMAC packet authentication feature to add an additional layer of security to the connection (referred to as an "HMAC Firewall" by the creator). It can also use hardware acceleration to get better encryption performance.^[4][5] Support for PolarSSL is coming in version 2.3

Authentication

OpenVPN has several ways to authenticate peers to each another. OpenVPN offers pre-shared keys, certificate-based, and username/password-based authentication. Preshared secret key is the easiest, with certificate based being the most robust and feature-rich. In version 2.0 username/password authentications can be enabled, both with or without certificates. However to make use of username/password authentications, OpenVPN depends on third-party modules. See the Extensibility paragraph for more info.

Networking

OpenVPN can run over User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) transports, multiplexing created SSL tunnels on a single TCP/UDP port^[6] (RFC 3948 for UDP).^[7] It has the ability to work through most proxy servers (including HTTP) and is good at working through Network address translation (NAT) and getting out through firewalls. The server configuration has the ability to "push" certain network configuration options to the clients. These include IP addresses, routing commands, and a few connection options. OpenVPN offers two types of interfaces for networking via the Universal TUN/TAP driver. It can create either a layer-3 based IP tunnel (TUN), or a layer-2 based Ethernet TAP that can carry any type of Ethernet traffic. OpenVPN can optionally use the LZO compression library to compress the data stream. Port 1194 is the official IANA assigned port number for OpenVPN. Newer versions of the program now default to that port. A feature in the 2.0 version allows for one process to manage several simultaneous tunnels, as opposed to the original "one tunnel per process" restriction on the 1.x series.

OpenVPN's use of common network protocols (TCP and UDP) makes it a desirable alternative to IPsec in situations where an ISP may block specific VPN protocols in order to force users to subscribe to a higher-priced, "business grade," service tier. ^{[example needed]}

Security

OpenVPN offers several internal security features. It runs in userspace, instead of requiring IP stack (and therefore kernel) operation. OpenVPN has the ability to drop root privileges, use mlockall to prevent swapping sensitive data to disk, enter a chroot jail after initialization and apply a SELinux context after initialization.

OpenVPN runs a custom security protocol based on SSL and TLS.^[2] OpenVPN offers support of smart cards via PKCS#11 based cryptographic tokens.

Extensibility

OpenVPN can be extended with third-party plug-ins or scripts which can be called at defined entry points.^[8][9] The purpose of this is often to extend OpenVPN with more advanced logging, enhanced authentication with username and passwords, dynamic firewall updates, RADIUS integration and so on. The plug-ins are dynamically loadable modules, usually written in C, while the scripts interface can execute any scripts or binaries available to OpenVPN. In the OpenVPN source code^[10] there are some examples of such plug-ins, including a PAM authentication plug-in. There also exists several third party plug-ins to authenticate against LDAP or SQL databases such as SQLite and MySQL. There is an overview over many of these extensions in the related project wiki page for the OpenVPN community.

Platforms

It is available on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX, Mac OS X, and Windows 2000/XP/Vista/7. While some mobile phone OSes (Palm OS, etc.) do not support OpenVPN, it is available for Maemo,^[11] Windows Mobile 6.5 and below,^[12] iOS 3GS+ devices,^[13] jailbroken iOS 3.1.2+ devices,^[14] Android 4.0+ devices, and Android devices that have had the Cyanogenmod aftermarket firmware flashed^[15] or have the correct kernel module installed.^[16] It is not a "web-based" VPN, meaning that it is not shown as a web page such as Citrix or TS Web access - the program is installed independently and configured by editing text files manually, rather than through a GUI-based wizard. OpenVPN is not compatible with IPsec or any other VPN package. The entire package consists of one binary for both client and server connections, an optional configuration file, and one or more key files depending on the authentication method used.

Notable client software

While OpenVPN is a command-line utility, it provides a management interface specifically designed to allow for establishment and control of an OpenVPN daemon by external software.^[17] This has allowed for the development of a number of third-party clients that provide a GUI for connecting to an OpenVPN server.

Client	Operating System	Cost	Developer	Latest release	Link	Notes
OpenVPN Connect	Microsoft Windows & Mac OS X	Free[18]	OpenVPN Technologies, Inc.	1.8.3.347 / April 11, 2011; 2 years ago (2011-04-11)	Commercial version download	Designed for use with OpenVPN Access Server, a commercial version of OpenVPN.[19]
OpenVPN Connect for Android	Android 4.0+	Free	OpenVPN Technologies, Inc.	1.1.11 / March 29, 2013; 54 days ago (2013-03-29)	Google Play Download	Designed for use with OpenVPN Community, OpenVPN Access Server, and PrivateTunnel. Allows only tun connections.
Viscosity	Microsoft Windows & Mac OS X	Paid	SparkLabs	1.4.3 / January 22, 2013; 3 months ago (2013-01-22)	sparklabs.com/viscosity	Requires .NET on Windows.
OpenVPN MI GUI	Microsoft Windows	Free	Boris Wesslowski	20130109 / January 9, 2013; 4 months ago (2013-01-09)	openvpn-mi-gui.inside-security.de	Enhanced version of the bundled Windows GUI client.
SecurepointSSLVPN	Microsoft Windows	Free	Securepoint GmbH	v1 / November 9, 2012; 6 months ago (2012-11-09)	sourceforge.net/projects/securepoint	Multiple connections, TAP-Wins32 Adapter control, no administrator permission is needed to set the route, OTP support, configuration management
OpenVPN Portable	Microsoft Windows	Free	Lukas Landis	1.8.2 / December 7, 2012; 5 months ago (2012-12-07)	sourceforge.net/projects/ovpnp	Installs TAP-Win32 Adapter V9 at startup and uninstalls adapter after shutdown.
tunXten	Microsoft Windows	Paid	TungstenMine	1.0.8.1 / April 8, 2013; 44 days ago (2013-04-08)	www.tunxten.com	Can be used for free, with restrictions.[20]
Tunnelblick	Mac OS X	Free	Tunnelblick	3.2.8 / August 10, 2012; 9 months ago (2012-08-10)	code.google.com/p/tunnelblick
Shimo	Mac OS X	Paid	ChungwaSoft	2.3.3 / January 17, 2011; 2 years ago (2011-01-17)	shimoapp.com
OpenVPN Settings	Android 1.5+	Free	Friedrich Schäuffelhut	0.4.14 / November 26, 2012; 5 months ago (2012-11-26)	code.google.com/p/android-openvpn-settings	Requires a rooted device.
OpenVPN for Android	Android 4.0.3+	Free	Arne Schwabe	0.5.36a / April 17, 2013; 35 days ago (2013-04-17)	code.google.com/p/ics-openvpn	Allows only tun connections
GuizmOVPN	iOS	Paid	Guizmo	1.1.7 / August 4, 2012; 9 months ago (2012-08-04)	GuizmOVPN.com	Only available for JailBroken iOS devices.
OpenVPN Connect	iOS	Free	OpenVPN Technologies	1.0.0 / January 16, 2013; 4 months ago (2013-01-16)	iTunes App Store - OpenVPN Connect
Umbrella Mobility	iOS	Free	OpenDNS	1.0.7 / January 30, 2013; 3 months ago (2013-01-30)	iTunes App Store - OpenVPN Connect

Firmware implementations

OpenVPN has been integrated into routing firmware packages such as Vyatta, pfSense, DD-WRT,^[21][22] OpenWrt^[23] and Tomato,^[24][25] allowing users to run OpenVPN in client or server mode from their network routers. A router running OpenVPN in client mode, for example, facilitates users within that network to access their VPN without having to install OpenVPN on each computer on that network.

Firmware Package	Cost	Developer	Link
AsusWRT-Merlin	Free	Open Source private development	lostrealm.ca
DD-WRT	Free	NewMedia-NET GmbH	dd-wrt.com
IPFire	Free	Community driven development	ipfire.org
OpenWRT	Free	Community driven development	OpenWRT.org
PfSense	Free	BSD Perimeter LLC	pfsense.org
Tomato	Free	Keith Moyer	tomatovpn.keithmoyer.com

OpenVPN has also been implemented in some default manufacturer router firmware, such as the Dlink DSR-250^[26] and all recent MikroTik Routers.^[27]

Community

A circa 2005 version of the OpenVPN community logo.

There are many support options for OpenVPN. The primary method for community support is through the OpenVPN mailing lists. Other sources of support, not directly affiliated with OpenVPN include:

Support Source	Description
OpenVPN Documentation	2.0 Manual 2.1 Manual 2.2 Manual 2.3 Manual
IRC	#openvpn on irc.freenode.net
Forum	Official OpenVPN forums
Community	Official OpenVPN wiki/bug tracker OpenVPN e.V. community Secure Computing Networks OpenVPN Wiki

See also

	Free software portal
	Cryptography portal

• OpenSSH, which also implements a level-2/3 "tun"-based VPN
• stunnel encrypt any TCP connection (single port service) over SSL
• UDP hole punching, a technique for establishing UDP "connections" between firewalled/NATed network nodes
• Point-to-Point Tunneling Protocol (PPTP) Microsoft method for implementing VPN
• Secure Socket Tunneling Protocol (SSTP) Microsoft method for implementing PPP over SSL VPN
• BartVPN, a VPN client implementing OpenVPN

References

1. SourceForge.net - OpenVPN: openvpn-announce
2. "OpenVPN Security Overview". Retrieved 28 September 2011. 
3. LinuxSecurity.com - OpenVPN: An Introduction and Interview with Founder, James Yonan
4. Network security hacks By Andrew Lockhart - Hack #104 - Create a Cross-platform VPN
5. IPv6 Deployment Guide By 6net - Chapter 5 - Integration and Transition
6. OpenVPN man page, section "TLS Mode Options"
7. User Centric Media: First International Conference, UCMedia 2009, Venice, Italy, December 9–11, 2009, Revised Selected Papers By Patros Daras, Oscar Mayora Ibarra - Scalable IPTV Delivery to Home via VPN - Proposed Scheme
8. "OpenVPN script entry points". Openvpn.net. Retrieved 2012-07-30. 
9. OpenVPN plug-in entry points for C based modules^{[dead link]}
10. "OpenVPN example plug-ins". Openvpn.git.sourceforge.net. Retrieved 2012-07-30. 
11. "OpenVPN Maemo package". Maemo.org. Retrieved 2012-07-30. 
12. "OpenVPN for PocketPC". Ovpnppc.ziggurat29.com. 2007-04-01. Retrieved 2012-07-30. 
13. "OpenVPN Connect". OpenVPN Technologies. 2013-01-16. Retrieved 2013-01-16. 
14. "GuizmOVPN - OpenVPN GUI for iPhone/iPad". guizmovpn.com. 2007-09-30. Retrieved 2012-09-30. 
15. cyanogen (7 July 2010). "CHANGELOG at eclair from CyanogenMod's android_vendor_cyanogen". Github. Retrieved 28 October 2010. Nexus One Cyanogenmod changelog
16. "How to setup and configure OpenVPN on Android rooted device | VPN blog is actual information about VPN". Vpnblog.info. Retrieved 2012-07-30. 
17. "Management Interface". Openvpn.net. Retrieved 2012-07-30. 
18. http://openvpn.net/index.php/access-server/pricing.html
19. "Access Server Overview". Openvpn.net. Retrieved 2012-07-30. 
20. "tunXten OpenVPN GUI Client | FAQ". Tunxten.com. Retrieved 2012-07-30. 
21. dd-wrt.com - OpenVPN
22. Geek-Pages.com - OpenVPN server and client on DD-WRT
23. "Easy OpenVPN server setup guide - OpenWrt Wiki". Wiki.openwrt.org. Retrieved 2012-07-30. 
24. "TomatoVPN". Tomatovpn.keithmoyer.com. Retrieved 2012-07-30. 
25. LinksysInfo.org – VPN build with Web GUI
26. http://www.dlink.com/us/en/business-solutions/security/services-routers/-/media/Business_Products/DSR/DSR%20250/Manual/DSR%20250_Manual_104_EN_US.pdf
27. http://wiki.mikrotik.com/wiki/OpenVPN

External links

• OpenVPN project homepage
• OpenVPN presentation and demonstration video Hampshire Linux User Group. Archive.org. details.