OpenVPN: meet the VPN king, it’s also free and open source!
Privacy is a common concern nowadays. In the era of information we live in the most dangerous network of them all: the Internet. When communicating over an untrusted network, the need for security and privacy are at their maximum. Enter the world of Virtual Private Networks, literally the “tunnels over untrusted networks”. One of the most common and secure software to create a VPN is OpenVPN, an Open Source solution which is sure to pop up whenever you speak about VPN. But what is it? And how does it work?
Need for a VPN? Or need for a VPN Provider?
A common misconception among people searching the word “VPN” is the one between VPN provider and VPN software:
- VPN provider: most people looking for VPN will likely want a VPN provider. VPN providers provide you with a secure connection to tunnel your traffic into. If you don’t want major corporations or governments poking their noses into your traffic, a VPN provider will insulate your traffic and obfuscate it. Of course your ISP will still be able to tell you’ve connected to the VPN server.
- VPN software: this is the category of software that enables the creation of Virtual Private Networks. People who want to connect devices across an untrusted network (such as the Internet) may look for such solutions. Imagine you want to connect to your home network securely from the Internet, you may set up a VPN software inside your home network and then connect using that tunnel.
OpenVPN belongs to the second category and it is one of the most popular and secure VPN software on the market. Best of all, it is Open Source, it has been audited and it is available for free.
VPN protocols: Not all VPNs are born the same
One of the most important part in a VPN is the protocol. The protocol handles how two machines communicate in an encrypted form. There are a few protocols and different implementations (read: solutions) for each one:
- PPTP (Point-to-Point Tunneling Protocol): is one of the oldest and (sadly) most common VPN protocols, it doesn’t handle encryption directly. It has been thoroughly broken and it has been for quite a while: DON’T USE IT. The popularity of this software is mainly due to Microsoft Windows built-in support. Windows PPTP support has been there for a long time and it is still there (although Microsoft openly discourage its use). This protocol doesn’t directly describes authentication and encryption, because of this it relies on other protocols (commonly bundled) to provide encryption.
- L2TP (Layer 2 Tunneling Protocol): is the spiritual, more secure successor of PPTP. It doesn’t describe authentication and encryption, it is commonly implemented alongside IPsec (more in a while). L2TP is the “secure cousin” of PPTP, it is widely supported, however to provide encryption it must encapsulate all the packet twice, hence it is slower than PPTP. Rumors are L2TP is not as secure as it used to be, and nowadays it doesn’t employ state-of-the-art cryptography practices.
- IPsec: this is not a protocol, it is an entire suite of them. The IPsec protocol suite is an iron standard in the VPN world, it is however pretty difficult to set up. Most of the times you will want to implement a Public Key Infrastructure (PKI) which is another moving part in the whole design. IPsec operates at Layer 3, alongside IPv4 and IPv6. IPsec has great performance since it is implemented within the kernel.
- SSTP (Secure Socket Tunneling Protocol): is another proprietary protocol developed by Microsoft. It is often regarded as pretty secure as it uses SSL/TLS just like OpenVPN, but its closed nature has crippled its ability to become popular. Nowadays there are implementations for Linux and BSD servers and clients, but it still retains the limitations of SSL/TLS-based VPNs and it is simply not as popular as higher-level solutions.
- SSL/TLS: SSL/TLS are common protocols used worldwide, actually the page you’re reading in this moment is encrypted using TLS (thanks to Let’s Encrypt). SSL/TLS are probably the most widespread cryptography protocols thanks to their adoption over the Internet. These protocols provide iron-clad security (until another Heartbleed pops out) and can be used to create VPN tunnels. OpenVPN belongs to this category. Most solutions built upon SSL/TLS perform poorly compared to IPsec since they’re implemented in userland (take a look at WireGuard if you need better performance).
OpenVPN: VPN, TLS and Open Source for everyone
OpenVPN uses OpenSSL (an omnipresent and very secure library) in order to provide encryption, but what’s best about OpenVPN is the myriad of configuration options available. OpenVPN support is widespread, the client can run on Windows, Linux, MacOS, Android and iOS. While support for mobile platforms isn’t still on the same level of desktop applications they are quite reliable.
Now don’t be fooled! OpenVPN can run on many operating systems but you will need a specialized application since there is no support out of the box for most of them. The good news is that it is a set-and-forget procedure, once done you will not have to worry about it. Here’s a list of the clients available for each platform:
- Windows: OpenVPN GUI (from OpenVPN).
- Linux: you can find the package from your package manager. NetworkManager (a common manager for networking) also supports OpenVPN integration.
- MacOS: Tunnelblick (from The Tunnelblick project).
- Android: OpenVPN Connect on Play Store (from OpenVPN).
- iOS: OpenVPN Connect on App Store (from OpenVPN).
Now that you know on which platform the client can run on, let’s take a look at server-related configurations.
For starters OpenVPN can run over TCP or UDP (or both as different tunnels):
- TCP: a tunnel using TCP is more reliable than one over UDP, however its performance is slightly worse in terms of throughput. TCP is the suggested protocol if you care about reliability over speed.
- UDP: on the other hand UDP is great for those in need for the highest speed they can achieve, however network reliability might be an issue.
Regardless of which protocol you choose, remember you will notice a dip in bandwidth when connected through the VPN since cryptography adds overhead in order to protect your communications.
Bridging vs Routing (TAP vs TUN)
Networking can be real hard even for IT people, so if you don’t know you way around networking just pick the easiest solution (routing). One of the most difficult decisions about the VPN design with OpenVPN is what kind of traffic will be forwarded. Essentially there are two options:
- Routing (TUN): the VPN server will act as a router and perform Layer 3-level, you will need to create a new private subnet (different from the one the machine is currently using). This option is by far the easiest between the two. The machines connected to the VPN will get their own private addresses (in the new subnet) and will be able to communicate with the server (and between each other if so you desire) using their private addresses. The problem with this approach is that you won’t be able to use software that leverages Layer 2 protocols, for example you won’t be able to leverage Windows “autodiscovery” feature that uses local broadcasts to discover other machines and shares.
- Bridging (TAP): the VPN server will forward Layer 2 traffic acting as a bridge between the client and the VPN server local network. Using this solution, software such as Windows sharing or Samba will work correctly. The machine connecting to the VPN server will look like part of the physical network and will be able to communicate as if it really was directly connected to the physical network, for example the machine will be able to obtain its IP configuration through the DHCP configured in the VPN server LAN. This option adds overhead, transmit broadcasts over the VPN tunnel (more traffic) and scales poorly. Above all, mobile clients can’t connect to this kind of VPN tunnel!
You can find more details about TUN vs TAP here.
Cryptography is complicated, full stop. Most people setting up OpenVPN won’t know about all the security details enclosed in each combination of ciphers, and they don’t really need to since OpenVPN comes with pretty high security standards. That said, when speaking about ciphers you need to choose between security and compatibility. Most modern browsers and operating systems can use the latest standards, but older operating systems or browsers may not be so happy about newer, more secure ciphers. OpenVPN default options strike a balance between security and compatibility.
OpenVPN supports all the ciphersuites offered by OpenSSL (you can discover them by issuing openssl ciphers -v on your terminal). If you’re unsure about which ciphers to support and which ones to use (you can select multiple), you should probably give up and use defaults. However if you’re willing to follow guides, Mozilla has a great guide about TLS and you can follow OpenVPN hardening guide.