>

What is OpenVPN, And is it Safe To Use?

Marc DahanWhat is OpenVPN, And is it Safe To Use?

If you use a commercial VPN service, the chances are high that you’re using the OpenVPN protocol. It’s one of the most widely used VPN protocols available. 

But how does it work? Is it free to use? And, more importantly, is it safe? In this post, we’ll try and answer these questions, and more.

A Little History

Books stock

OpenVPN was written by James Yonan and was released to the public in 2002, under the GNU General Public License (GPL). 

Yonan has a background in software development and financial trading. He currently serves as CTO of the OpenVPN project.

OpenVPN is one of the most flexible VPN protocols available.

It can be used to bridge networks together (site-to-site) or to enable remote clients to access network resources and the Internet through the server (client-server/road warrior).

And it supports many authentication methods. 

In a site-to-site setup, OpenVPN peers can authenticate each other using pre-shared keys, certificates, or the username/password scheme. 

While in a client-server configuration, the server can also validate clients using certificates, signatures, and a certificate authority.

For cryptography, OpenVPN uses the OpenSSL library and the TLS protocol. And it supports up to 256-bit encryption. This is robust.

Platform Support

When I stated that OpenVPN was one of the most commonly used VPN protocols, I wasn't kidding. 

And one of the reasons for its wide adoption is the fact that OpenVPN supports just about every operating system out there. That means, the usual suspects:

  • Windows
  • macOS
  • Linux
  • IOS
  • Android

But also,

  • FreeBSD
  • OpenBSD
  • NetBSD
  • QNX
  • Solaris
  • Maemo
  • ChromeOS
  • DD-WRT
  • OpenWrt
  • Tomato
  • OPNSense
  • pfSense
  • And even PalmOS…

That’s a lot of operating systems.

How Does OpenVPN Work?

Keyboard stock

Like most VPNs, everything starts with a peer requesting a connection to another peer, usually the server. This request is encrypted.

That peer can be a client requesting a connection to a server (road warrior configuration). Or it can be a server requesting a connection to another server(site-to-site).

Authentication

Once a request is made, the peer must be authenticated by the host VPN server. As we mentioned above, OpenVPN is very flexible in this regard.

The peer can be authenticated using pre-shared keys, certificates, or the username/password scheme. 

In OpenVPN version 2.0 and later, a peer can also be authenticated by the hosting VPN server, using a combination of certificates and a username and password.

Encryption

On the encryption side, OpenVPN uses the OpenSSL library for both the data channel as well as the control channel. 

Your Internet traffic flows through the data channel. While the encryption and authentication mechanisms run through the control channel, in parallel.

As we mentioned earlier, OpenVPN supports up to 256-bit encryption. And it can also use HMAC packet authentication, via the control channel, for data integrity purposes. 

HMAC is a cryptographic hash, that is sent along with the traffic flowing through the VPN (messages). 

The peers on the network can hash the incoming traffic themselves, using the same key. And the traffic is considered authentic if the resulting hashes match.

Protocols

OpenVPN supports IPv4 and IPv6 IP protocols (IPv6 since OpenVPN 2.3). It also supports both UDP and TCP transport protocols.

TCP stands for Transmission Control Protocol. 

TCP encompasses a corrective mechanism that makes sure the appropriate data was sent and sent in the correct order. 

If packets are missing, TCP will retransmit the missing packets and ensure that everything is in order. This corrective mechanism obviously adds overhead to TCP connections.

UDP stands for User Datagram Protocol. 

UDP does not include a corrective mechanism at all. It simply sends data through the pipes and hopes for the best. As such it is sometimes referred to as “Unreliable Datagram Protocol”. 

UDP is usually much faster than TCP, as it has much less overhead.

This flexibility in data protocols makes OpenVPN able to get through most proxy servers and firewalls’ Network Address Translation (NAT) – which can both sometimes hinder VPN use.

OpenVPN can also run on arbitrary ports, helping it further work through restrictive firewalls.

This, in conjunction with TCP, can enable you to “disguise” your VPN connection as regular traffic. By running the OpenVPN server on port 443 and using TCP,  for example, you can disguise your VPN traffic as regular Https traffic.

And this helps with restrictive firewalls and proxy servers as well as ISPs or corporate networks blocking VPNs.

Be aware, however, that TCP is generally much, much slower than UDP, because of the additional overhead of its corrective mechanism. 

For TCP to work at decent speeds, it requires excess bandwidth. If that extra bandwidth becomes unavailable or insufficient, performance can slow to a crawl. This is referred to as the “TCP meltdown problem”.

Most commercial VPN providers that support OpenVPN default to using UDP. Using UDP, a properly configured OpenVPN connection can be very fast.

Open-Source Security

Open sign stock

Another thing worth mentioning also is that OpenVPN is fully open-source

That means that anyone and everyone is free to inspect the code, make modifications to the code, and distribute the code for their own purposes.

This freedom also adds a level of security to the VPN protocol, because the code is open to all. Nothing hidden. No proprietary coding secrets. And no backdoors.

OpenVPN has also gone through many security audits over the years. And while certain vulnerabilities were found (and subsequently fixed) no backdoors have ever been found. 

OpenVPN is considered one of the most secure – if not the most secure – VPN protocol available today.

That might change once WireGuard is ready for prime time, but we’re not there yet.

Wrap-Up

OpenVPN, with its strong cryptography, its unparalleled flexibility, and its open-source code make it one of the best VPN protocols publicly available. 

Set up with UDP, it is very fast. And is also one of the easiest VPN solutions to configure – though you still need to know your stuff… 

And in case you’re wondering, I use OpenVPN every day.

Most, if not all, commercial VPN providers support OpenVPN on their networks. And we’ve reviewed three of them. 

If you’d like more information, check out our VPN provider reviews, below.

Is OpenVPN Safe?

Safe stock

I can confidently answer: yes

OpenVPN uses the OpenSSL library for its encryption, which can be up to 256-bit. This is the industry standard and is considered very secure. 

Its use of HMAC pushes the security even further. 

Properly configured, OpenVPN can protect your most critical digital activities.

And the fact that it’s open-source and has been through multiple security audits during its history gives even more credence to its security claims.

Is OpenVPN Free To Use?

piggy bank stock

OpenVPN is free to use. That is, it’s “free” as in “freedom” – you are free to inspect and modify the code for your own purposes. 

But it’s also “free” as in “costless”. You can freely download OpenVPN and install it on the devices of your choice for zero dollars.

What’s not to like about that? 🙂

>

What is OpenVPN, And is it Safe To Use?

By Marc Dahan

Last updated: May 7, 2020

Further Reading

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram