OpenVPN
| Original author(s) | James Yonan |
|---|---|
| Developer(s) | OpenVPN Technologies, Inc. |
| Stable release | 2.1.1
/ December 11, 2009 |
| Repository | |
| Platform | Cross-platform |
| Type | VPN |
| License | GNU GPL |
| Website | openvpn.net/index.php/open-source.html |
OpenVPN is a free and open source software application that implements virtual private network (VPN) solutions for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses SSL/TLS security for encryption and is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).
Introduction
OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.
It is available on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX, Mac OS X, and Windows 2000/XP/Vista. Although Windows, Windows Mobile, Android, iPhone, etc. include built-in support for VPNs, they do not include OpenVPN. It must be installed as a separate program and configured by editing text files manually, rather than through the normal GUI. It is not a "web-based" VPN, meaning that it is not shown as a web page such as Citrix or TS Web access. OpenVPN is not compatible with IPsec or any other VPN package. The entire package consists of one binary for both client and server connections, an optional configuration file, and one or more key files depending on the authentication method used. It is sometimes used by computer gamers as a way of accessing LAN games over the internet.
Encryption
OpenVPN uses the OpenSSL library to provide encryption of both the data and control channels. It lets OpenSSL do all the encryption and authentication work, allowing OpenVPN to use all the ciphers available in the OpenSSL package. It can also use the HMAC packet authentication feature to add an additional layer of security to the connection (referred to as an "HMAC Firewall" by the creator). It can also use hardware acceleration to get better encryption performance.
Authentication
OpenVPN has several ways to authenticate peers to one another. OpenVPN offers pre-shared secret key, certificate-based, and username/password-based authentication. Preshared secret key is the easiest, with certificate based being the most robust and feature-rich. The username/password is a new feature (version 2.0) that can be used with or without a client certificate (the server still needs a certificate). The source tarball includes a sample Perl script to verify the username/password with PAM and a C auth-pam plugin.
Networking
OpenVPN can run over User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) transports, multiplexing created tunnels on a single TCP/UDP port. It has the ability to work through most proxy servers (including HTTP) and is good at working through Network address translation (NAT) and getting out through firewalls. The server configuration has the ability to "push" certain network configuration options to the clients. These include IP addresses, routing commands, and a few connection options. OpenVPN offers two types of interfaces for networking via the Universal TUN/TAP driver. It can create either a layer-3 based IP tunnel (TUN), or a layer-2 based Ethernet TAP that can carry any type of Ethernet traffic. OpenVPN can optionally use the LZO compression library to compress the data stream. Port 1194 is the official IANA assigned port number for OpenVPN. Newer versions of the program now default to that port. A feature in the 2.0 version allows for one process to manage several simultaneous tunnels, as opposed to the original "one tunnel per process" restriction on the 1.x series.
OpenVPN's use of common network protocols (TCP and UDP) makes it a desirable alternative to IPsec in situations where an ISP may block specific VPN protocols in order to force users to subscribe to a higher-priced, "business grade," service tier.
Security
OpenVPN offers several internal security features. It runs in userspace, instead of requiring IP stack (and therefore kernel) operation. OpenVPN has the ability to drop root privileges, use mlockall to prevent swapping sensitive data to disk, enter a chroot jail after initialization and apply a SELinux context after initialization.
OpenVPN offers support of smart cards via PKCS#11 based cryptographic tokens.
Community
There are many support options for OpenVPN. The primary method for community support is through the OpenVPN mailing lists. Other sources of support, not directly affiliated with OpenVPN include:
| Support Source | Description |
|---|---|
| OpenVPN Documentation | 2.0 Manual 2.1 Manual |
| IRC | #openvpn on irc.freenode.net |
| Forum | OpenVPN Forum |
| Community | Official OpenVPN community |
Third-party client software
| Client | Operating System | Cost | Link |
|---|---|---|---|
| OpenVPN GUI | Microsoft Windows | Free | http://openvpn.se |
| OpenVPN Client | Microsoft Windows | Free | Sourceforge project |
| Tunnelblick | Mac OS X | Free | http://code.google.com/p/tunnelblick |
| Viscosity | Mac OS X | Paid | http://viscosityvpn.com |
| Shimo | Mac OS X | Paid | http://www.shimoapp.com |
| OpenVPN | DD-WRT | Free | DD-WRT |
| TomatoVPN | Tomato (firmware) | Free | TomatoVPN |
| TunnelDroid | Android | Free | Has been merged with OpenVPN Settings TunnelDroid Source, Market Download |
| OpenVPN Setting | Android | Free | OpenVPN Settings |
| LiliVPN | Cross-platform | Free | LiliVPN |
Implementations
OpenVPN has been integrated into routing firmware packages like Vyatta, DD-WRT, OpenWRT and Tomato (firmware),[1][2][3][4] allowing users to run OpenVPN in client or server mode from their network routers. A router running OpenVPN in client mode, for example, facilitates users within that network to access their VPN without having to install OpenVPN on each computer on that network.
See also
- OpenSSH, which also implements a level-2/3 "tun"-based VPN
- stunnel encrypt any TCP connection (single port service) over SSL
- UDP hole punching, a technique for establishing UDP "connections" between firewalled/NATed network nodes
- Virtual private network (VPN)
References
 | This article needs additional citations for verification. (July 2009) |
- ^ dd-wrt.com - OpenVPN
- ^ Geek-Pages.com - OpenVPN server and client on DD-WRT
- ^ TomatoVPN
- ^ LinksysInfo.org – VPN build with Web GUI
External links
- OpenVPN project homepage
- OpenVPN presentation and demonstration video Hampshire Linux User Group. Archive.org. details.
- Eurephia - Flexible authentication plug-in for OpenVPN Eurephia.net
- Ovpn-py - OpenVPN embedded Python plug-in. code.google.com.
- Radiusplugin for OpenVPN. nongnu.org