The purpose of OpenVPN is to allow users to set up a secure point-to-point or site-to-site connection by creating a secure VPN connection. In common with Secure Socket Tunneling Protocol (SSTP), OpenVPN relies on Secure Sockets Layer/Transport Layer Security (SSL/TLS) for authentication and encryption key exchange. OpenVPN uses port 443 to send encapsulated data over an SSL/TLS channel. OpenVPN uses a bespoke data encapsulation security protocol based on SSL and TLS, rather than using Point-To-Point (PPP) or Layer Two Tunneling Protocol (L2TP) like SSTP. OpenVPN uses the OpenSSL library to implement data and control encryption, allowing the use of all the ciphers available in this package, including the military-grade AES algorithm with a 256-bit key.
OpenVPN includes authentication options using access credentials (username and password), certificates, or a pre-shared secret key. This offers significant flexibility for managing a broad range of applications and devices, including compatibility with NAT (Network Address Translation) devices. The following guide shows how OpenVPN can be configured on a Linksys Smart Wi-Fi Router.
OpenVPN can be configured to use UDP, designed to minimize latency at the expense of reliability by not implementing error identification and correction logic for transmissions. This protocol is suited to activities where high bandwidth is more important than data integrity, such as streaming multimedia files and gaming. Alternatively, OpenVPN can be configured to use TCP. While not as fast as UDP, TCP includes error correction logic and automatic re-transmission logic to provide reliable end-to-end data transfer. This is ideal in situations where dependable data transfer is more critical than bandwidth, such as transferring sensitive information or authentication credentials.
One disadvantage of using TCP over UDP is that using TCP tunnels within a VPN connection over a standard TCP connection can be prone to the TCP meltdown problem. Suppose there is insufficient available bandwidth on the un-tunneled network to guarantee that the tunneled TCP timers do not expire during transmissions. In that case, the messaging process may fail, and the latency of the connection markedly increases. This can then cause further bandwidth restrictions, exacerbating the problem until the TCP tunnel stops operating correctly. This can be a significant issue if a TCP meltdown problem occurs during a critical data transfer operation.
OpenVPN embraces the advantages of establishing an SSL protocol, including 256-bit encryption, traffic security checking, and key negotiation. These features offer significant benefits over Point-to-Point Tunneling Protocol (PPTP) and L2TP/IPSec.
OpenVPN is an open-source protocol with a large and active community of users. This reduces the risk of known vulnerabilities remaining unpatched for significant periods or backdoors being allowed to exist.
OpenVPN is compatible with a broad range of platforms covering all the popular operating systems such as Windows, macOS, Linux, Android, iOS, and the more specialist platforms, including Solaris and OpenBSD. Microsoft’s instructions show how relatively straightforward the migration from SSTP to OpenVPN can be with the right technical knowledge. Setting up an OpenVPN Server on Linux is also comparatively uncomplicated.
OpenVPN can use a range of encryption ciphers, including the robust AES algorithm with 256-bit encryption, which offers excellent security levels. This is considerably more secure than other popular protocols using the same length for the encryption key. It has fewer implementation vulnerabilities that open up the encryption algorithm to being broken using flaws in the code rather than relying on a brute-force attack on the key itself. One benefit of using a protocol with a robust encryption algorithm is the protection offered for sensitive personal or financial information.
As OpenVPN uses the SSL/TLS channel over TCP 443 port, traffic is indistinguishable from regular Hypertext Transfer Protocol Secure (HTTPS) traffic. It cannot be identified by Internet Service Providers (ISP) or firewalls looking to block VPN traffic. Unlike SSTP, it is not practical to examine the traffic in transit and identify any header information that will give away that it is not HTTPS traffic. This makes this protocol ideal for circumventing ISPs and firewalls that block VPN traffic. Also, unlike SSTP, OpenVPN can be configured to use other ports if necessary to bypass any blocks encountered. This additional flexibility makes this protocol ideal for users seeking to avoid comprehensive internet controls and aggressive monitoring, particularly where ISP’s have blocked VPN use for commercially motivated reasons.
For example, Comcast previously designated its @Home product as a strictly residential service that did not allow commercial applications. The company also defined that the primary use of a VPN is to connect Internet users with a work network. Hence, the company determined that VPNs were a business use-only tool that domestic consumers would not require. Their argument was that the use of a VPN was incompatible with residential-only internet use. The reasoning then went on to say that anyone using a VPN must be using the internet for business purposes and hence would not be entitled to subscribe to a more economical domestic tariff. The justification for this policy was that using a VPN would disrupt network performance for other users due to increased traffic levels. Comcast offered the @Home Professional product as an alternative. This service was advertised as being designed to meet the needs of small office/home office customers that would require access to a VPN. This product came with a higher cost than the @Home product. Hence, any user wishing to use a VPN would have to subscribe to the higher-priced, “business-grade” service tier. These Comcast products have now been superseded by the Xfinity services, which allow VPN traffic.
Disadvantages and Vulnerabilities
OpenVPN is not available as a pre-installed service, and as an application is complex to install and configure, requiring specialist technical knowledge to correctly implement a fully secure solution. Users who do not have access to the required expertise will need to source an OpenVPN-based service that is pre-configured as a solution.
The use of a robust encryption algorithm results in a relatively slow encryption speed, which can adversely impact network bandwidth and latency where large data throughput is required. However, the protocol can be configured to use faster and less secure encryption algorithms if necessary.
OpenVPN is a popular open-source protocol that offers excellent security and a broad range of configuration options that allow its operation to be tailored to the user’s specific requirements regarding the security/performance trade-off and the circumvention of network controls. Available to the broadest range of client device and server platforms, the technical challenge of installing and configuring the application is offset by the significant benefits in security and performance over other available protocols.