If you’ve ever used a commercial VPN service, chances are you’ve used the OpenVPN protocol. It’s one of the most popular and trusted VPN protocols available. But how does it work? What are the benefits and the pitfalls of using it? And, more importantly, is OpenVPN safe? Read on, and we’ll answer the above questions and more.
What is OpenVPN?
The OpenVPN protocol was written by James Yonan and was released to the public in 2002 under the GNU General Public License (GPL). Yonan’s background is in software development and financial trading. He currently serves as CTO of the OpenVPN project.
The OpenVPN protocol is likely the most flexible VPN protocol available. It can be used in different ways and can accommodate almost any network scenario.
You can use OpenVPN to bridge two distinct networks together through what is called a site-to-site connection. You can also configure OpenVPN to allow remote clients (i.e., your laptop, tablet, or phone) to access network resources and the internet through the server. This is called a client-server, or road warrior, configuration.
OpenVPN’s flexibility also extends to its supported authentication methods.
OpenVPN peers can authenticate each other using pre-shared keys, certificates, or the username/password scheme in a site-to-site setup. And in a client-server configuration, the server can also validate clients using certificates, signatures, and a certificate authority.
Regarding encryption, OpenVPN uses the OpenSSL library and the TLS protocol. It supports up to 256-bit encryption, which is very secure.
Platform support
If OpenVPN is one of the most widely used VPN protocols, it stands to reason that it’s supported on many different devices. Indeed, OpenVPN supports just about every operating system out there. So we have all of the larger platforms:
- Windows
- macOS
- Linux
- IOS
- Android
But also:
- FreeBSD
- OpenBSD
- NetBSD
- QNX
- Solaris
- Maemo
- ChromeOS
- DD-WRT
- OpenWrt
- Tomato
- OPNSense
- pfSense
- And even PalmOS…
That’s a lot of operating systems. Bear in mind that most operating systems don’t support OpenVPN out of the box. That means, in most cases, you need to download and install a third-party client.
How Does OpenVPN Work?
Peer requests
Everything starts with a peer requesting a connection to another peer, which is usually the server. This request is encrypted. The requesting peer can be a client requesting a connection to a server, in a road warrior configuration. Or it can be a server requesting a connection to another server, in a site-to-site connection.
Authentication
After the request is made, the peer needs to be authenticated by the host VPN server. Again, OpenVPN is very flexible in this regard. The peer can be authenticated using pre-shared keys, certificates, or the username/password scheme.
OpenVPN allows for public key infrastructure (PKI), which is usually handled by RSA.
From OpenVPN version 2.0 and later, a peer can also be authenticated by the hosting VPN server, using a combination of certificates and a username and password.
Encryption
As far as encryption goes, OpenVPN uses the OpenSSL library for both the data channel and the control channel.
In an OpenVPN connection, there are two channels through which different information flows. Your internet traffic flows through the data channel. So the websites you visit, the files you download, and your chat messages go through the data channel.
But, in parallel, the encryption and authentication mechanisms run through the control channel. This would be the username/password information, the certificates, HMAC (more on that below), and so on.
As we mentioned above, OpenVPN supports up to 256-bit encryption. It can also use HMAC packet authentication, via the control channel, for data integrity purposes. HMAC is a cryptographic hash that’s sent along with the traffic flowing through the VPN. Other peers on the network can hash the incoming traffic themselves, using the same key. If the resulting hashes match, the traffic is considered authentic. If they don’t match, the traffic is rejected.
ChaCha and AES are the most commonly used ciphers.
Protocols
OpenVPN has always supported the IPv4 protocol, and since OpenVPN 2.3, it also supports the IPv6 IP protocol. OpenVPN can even support IPv4 and IPv6 on the same server.
But aside from the IP protocols, OpenVPN also supports both UDP and TCP transport protocols. Let’s look at that in a little bit more detail.
TCP
TCP stands for Transmission Control Protocol. TCP includes a corrective mechanism that ensures the appropriate data is sent and in the correct order. If any packets are missing, TCP retransmits the missing packets and ensure that everything is in order. This corrective mechanism adds some overhead to TCP connections.
UDP
UDP stands for User Datagram Protocol. UDP has no corrective mechanism at all. It just sends data through the pipes and hopes for the best. That’s why it’s sometimes called “Unreliable Datagram Protocol”. However, UDP is usually much faster than TCP, as it has much less overhead and is usually the default transport protocol with VPN providers that support OpenVPN.
OpenVPN Benefits
Can get through restrictive networks
OpenVPN’s flexibility in data protocols makes OpenVPN able to get through most proxy servers and firewalls’ Network Address Translation (NAT), which can sometimes hinder VPN use.
OpenVPN can also run on arbitrary ports, which also helps it work through restrictive firewalls. Using an arbitrary port, in conjunction with TCP, enables you to disguise your VPN connection as regular traffic. For example, by running the OpenVPN server on port 443 and using TCP, your VPN traffic appears to be regular HTTPS traffic. And this helps with restrictive firewalls and proxy servers as well as ISPs or corporate networks blocking VPNs.
Be aware, however, that TCP is going to be much slower than UDP. That’s because of the additional overhead of its corrective mechanism. For TCP to work at decent speeds, it requires more bandwidth. If that extra bandwidth becomes insufficient or unavailable, performance can slow to a crawl. This is often called the “TCP meltdown problem”.
Most commercial VPN providers that support OpenVPN default to using UDP. Over UDP, a properly configured OpenVPN connection can be very fast.
OpenVPN configurations are highly customizable
The flexibility mentioned above goes beyond port and protocol selection. With OpenVPN, you can choose the ciphers, the supported TLS version(s), the network topology, whether to apply data compression or not and many more settings.
OpenVPN also supports adding custom directives, which enable you to assign static IP addresses to the connecting clients or to send the traffic through a proxy server after the VPN connection is made.
Whatever particularities your network might have, the chances are high that OpenVPN will be able to accommodate them.
Benefits from extensive platform support
As we mentioned above, OpenVPN is supported on practically every computing platform available, making it simpler to deploy.
Supports robust encryption and ciphers
OpenVPN supports up to 256-bit encryption and a long list of strong ciphers.
Supports Perfect Forward Secrecy
What Perfect Forward Secrecy does is regenerate the encryption keys at fixed intervals. As soon as the new keys are generated, they cannot be used to decrypt past or future sessions even if compromised.
Is under active development
OpenVPN is a living VPN protocol if you will. I mean that it is under active development, and updates are made available regularly. This means that if any vulnerabilities are discovered in the code, they should be patched quickly.
OpenVPN disadvantages
Speed
OpenVPN isn’t the fastest VPN protocol out there. Namely, IPsec and WireGuard are known to be faster than OpenVPN. Both IPsec and WireGuard use the UDP transport protocol, which, as we mentioned above, is faster than TCP. Hence, for the best speeds, you should use OpenVPN over UDP.
It can be complicated to set up
Because of its inherent flexibility and the number of optional directives it supports, OpenVPN can be difficult to configure. But this depends on the actual configuration you’re trying to achieve. Setting up a “vanilla” OpenVPN server isn’t very complicated and should be manageable for most users with a basic comprehension of OpenVPN.
It’s not natively supported
While OpenVPN supports many operating systems, its functionality isn’t built into any of them. That means you’re going to need to download a third-party client. The developers of OpenVPN provide their native app, called OpenVPN Connect, for macOS, Windows, Linux, iOS, and Android. And you can download it for free. If you’re using a different OS, you’ll need to download a client produced by a third-party developer. There are many.
Mobile support is somewhat flakey
Don’t get me wrong here, OpenVPN does work on mobile. However, OpenVPN has two issues on mobile when using the official OpenVPN Connect mobile app for iOS or Android.
- If you’re connected to the VPN over wi-fi, and your phone’s screen goes into sleep mode, wi-fi disconnects, and hence, so does the VPN connection. When you wake your phone up, it will attempt to reconnect, but some packets may go out to the internet unencrypted and reveal your real IP address.
- The same thing happens when switching from wi-fi to mobile data and vice versa.
Is OpenVPN safe?
Short answer: yes, with a but. The security of your OpenVPN setup largely depends on how the administrator of the VPN server configured it. It is possible to set up OpenVPN in an insecure, or at least less secure manner. Using static keys instead of public key infrastructure (PKI) is less secure, but both are options.
So, assuming the administrator configured the OpenVPN server with security in mind, OpenVPN is very secure. Here’s why.
Open-source security
OpenVPN is fully open-source. That means that anyone and everyone is free to inspect the code, modify the code, and distribute the code for their own purposes.
This freedom also adds security to the VPN protocol because the code is open to all. Nothing is hidden. No proprietary coding secrets. And no backdoors. OpenVPN has also been audited many times over the years. And while the security audit did identify certain vulnerabilities, they were all subsequently fixed. And no backdoors have ever been found.
OpenVPN is considered one of the most secure VPN protocols available today. Although the relatively new WireGuard protocol may eventually overtake OpenVPN, we’re not there yet.
OpenVPN supports strong, current ciphers
As we mentioned above, OpenVPN supports strong, current open-source ciphers. The same encryption that banks use to secure online banking transactions. As long as it’s configured correctly, OpenVPN provides strong cryptography that keeps your online activities private.
Strong encryption and ciphers coupled with Perfect Forward Secrecy support (see above) make OpenVPN very secure—and hence safe.
Wrapping up
With its strong cryptography, unparalleled flexibility, and open-source code, OpenVPN is one of the best VPN protocols publicly available. Set up with UDP, it can be quite fast. And it can accommodate pretty much any kind of network particularity. OpenVPN is probably the most customizable VPN protocol available, but you’ll need to know your stuff…
And in case you’re wondering, I use OpenVPN everyday. Most commercial VPN providers support OpenVPN on their networks — though some newer services have dropped it in favor of the far more lightweight WireGuard. Nevertheless, the chances are that, if you’ve used a commercial VPN before, you’ve likely already used the OpenVPN protocol.
OpenVPN is one of the most commonly used VPN protocols for all the reasons listed above. And because the protocol has been around for a long time and during that time, it’s undergone several security audits and peer reviews, you can be assured that OpenVPN is safe to use.
Stay safe (and use OpenVPN).
