Let us begin our OpenVPN Inc. review by stating that they are the company behind OpenVPN. With over five million downloads since its inception as the OpenVPN Project in 2002, it has become a de-facto standard VPN software in the open source networking space. For those who are not familiar with it, OpenVPN is a fast, reliable, and ultra secure Internet communication solution. It is widely believed to be the best protocol available to create secure Virtual Private Networks (VPNs). Consequently, it forms the core infrastucture of the best VPN services. In addition to their award-winning community open source software, OpenVPN Inc. provides their own VPN service through Private Tunnel which implements their latest OpenVPN version features. They also provide a complete solution through various OpenVPN Access Server packages.
Before the rise of the Internet age, most companies who wanted to connect their offices had to use T1 lines and additional backbone architectures. This let the LANs used by corporate offices join together into WANs. This was very expensive thus limited to larger enterprises. Next came the first VPNs which were implemented using IPSec which was very complex and only really understood by security experts. This limited implementation to those who could afford these experts from companies like Cisco and Microsoft. To complicate this even more, these proprietary solutions were often incompatible with each other.
As the Internet became more and more popular, smaller businesses began to use VPNs and the need for faster and cheaper solutions grew. At the same time SSL/TSL Internet security increased in popularity due to its use in the financial industry This birthed the commercial VPN industry which provided SSL VPNs that allowed remote users to “securely access” office LANs remotely over the public Internet. Soon, a greater number of Internet users began to look for secure Internet solutions that were easier and faster to develop. At the same time Linux-based networks provided a platform to test out these new solutions using TUN/TAP virtual networking devices.
OpenVPN: Backbone of the OpenVPN Inc. Business
A Little History about OpenVPN
Below is a synapses of an interview given by James Yonan, Creator of OpenVPN about how he came to develop it.
The original idea of a need for a tool like OpenVPN came to him while traveling the world while simultaneously needing to maintain a reachable telepresence. While traveling through Central Asia, Russia, and other regions having a unusual number of very talented hackers, he began to become interested in the Linux security tools used for telecommuting.
When investigating these tools, he discovered that there were basically two trains of thought regarding VPN technologies. He called these the “security-first” and the “usability-first” camps. The IPSec and FreeSwan security camp believed that it was ok to lapse the robustness and usability in favor of achieving the proper security. However, this made IPSec VPN applications complex and difficult to implement.
This led to the non-IPSec camps (VTun, Cipe, etc) which spawned because they needed a VPN now and development times for IPSec VPN was very long. Thus they decided that it would be easier to make their own rather than struggle with the pitfalls of installing IPSec. The usability group concentrated on the networking aspect of secure telecommunication. This led to the innovation used by many VPN providers today, “TUN” or “TAP” virtual network adaptors. TAP adaptors emulate ethernet network connections used within local area networks and TUN adaptors simulate the IP point to point connections and NAT used by routers.
After considering both of these and the open source VPN field, he decided that the usability group had the right idea about networking and making the implementation simpler. While at the same time the SSH, SSL/TSL, and IPSec were right about the security level needed for private networks that were operating across the public Internet. Thus began his concept of what would become OpenVPN.
Even though IPSec was the current standard for VPN technology at the time he began developing his VPN solution. He decided against it because of its complexity and core kernel interaction. He saw a potential issue because complexity is generally thought to be the enemy of security. Additionally, he looked on this interaction as a design flaw in which a failure of one component could lead to a catastrophic security breach.
Consequently he looked at SSL which was growing as a alternate to IPSec for Internet security and was being used to secure websites. Thus he settled on SSL/TSL for the security component for his new VPN tool. Since it leaned heavily on the OpenSSL library and was open source, he decided to call it Open VPN.
So, What Makes OpenVPN Special?
It is Open-Source Software
The software is free and open-source. Secondly, since its introduction in 2002, it has garnered one of the largest communities of users in the open-source space. This community is composed of cryptography experts, hobbyists, and IT professionals from all over the world. Consequently, it has been submitted to widespread examination of both its usability, as well as, its cryptographic security. Additionally the OpenSSL library that forms its core crypto-security is also open source and has over twenty years of critique by security experts and regular users all over their world. This makes OpenVPN one of the most scrutinized crypto-libraries which has led to further advancements in the online security that it provides. These new advancements are then included in successive OpenVPN versions.
Community Testing and Security Audits
To understand what makes OpenVPN the most widely used VPN protocol in the world, you need to examine how it tackles the security of your network connections. OpenVPN Inc. uses a combination of user comments and testing to constantly improve the performance and online security of their software. Additionally, OpenVPN undergoes periodic security and cryptographic audits of its code. The last two were conducted in early 2017. The following sections show the importance of both of these in increasing the ease of use, operability, and security of the OpenVPN code.
Internal PIA Funded and Independent OSTIF Audits of OpenVPN 2.4
One was performed by, Matthew D. Green, PhD, a well-respected cryptographer and a professor at Johns Hopkins University. This study was funded by Private Internet Access and the full summary can be found here. Another separate audit was made by Open Source Technology Improvement Fund (OSTIF) using engineers from QuarksLab, the Paris-based firm that also audited Veracrypt. The questions raised by these audits were addressed by the OpenVPN Community Wiki report released with the version update OpenVPN 2.4.2 which fixed the most serious of these issues.
Community Involvement and Fuzzing to Improve Code Security
After the recent audits and the release of OpenVPN 2.4.2, Guido Vranken, a community member decided to run an automated Fuzzer against the new code. For those who do no know what a Fuzzer is, it is an automated software that is used to test new code. The testing procedure involves providing invalid, unexpected, and random input to the code and then observing how it copes with it. Fuzzing or fuzz testing as it is commonly called monitors for exceptions encountered from the invalid data which include error codes triggered, crashes, failure of conditions assumed by the code but not properly tested for, and security breaking memory leaks. His goal was to demonstrate that manual audits may not be enough to fully test new code and that these codes should be exposed to Fussing algorithms. He discovered some additional vulnerabilities not found by the audits. OpenVPN Inc. addressed these in OpenVPN 2.4.3 and 2.3.17 along with some other unrelated issues.
Security of OpenVPN?
The following is a quick summary of the whitepaper, OpenVPN and the SSL VPN Revolution, by Charlie Hosner.
In order to understand what a Secure VPN needs, you need to understand some basics of cryptography. We know most readers think that this is a very technical and complex science. It is and therefore it is easy to get wrong. Stated otherwise, as Hosner’s Lamented: “The one thing worse than bad security is bad security that creates the illusion of good security” Luckily, products like OpenVPN make good security easier to implement correctly. The other component of a good VPN is that they be easy to implement and provide fast performance.
Goals of Information Security
Information security relies heavily on four basic goals. These can be summed up as follows:
- Confidentiality – refers to hiding your data from prying eyes.
- Integrity – involves verifying that your data has not been changed in any way during transit.
- Authentication – means that you can be sure that the client or server that you are communicating with is who you think they are.
- Non-repudiation – makes sure that the entity you are communicating with cannot later deny that he sent the data that you received.
In order to properly address these goals, security experts use what are commonly called cryptographic primitives in the industry.
The Four Core Cryptographic Primitives
- Symmetric ciphers – are the fast block algorithms that use the same key for encrypting and decrypting data which are used for data confidentiality.
- Message digests – are mathematical functions that encode a message into a fixed length of cipher text that are used to check the message integrity.
- Asymmetric ciphers – are other methodologies like Public Key Encryption (PKI) which can be use to authenticate the entities talking to each other.
- Digital signatures – are a combination of message digest and PKI which when used together provide message integrity but also non-repudiation.
Now that we know the goals of good information security and the basic tools that are applied to achieve them. let us see how they are applied to form the basis of a good VPN network.
Trusted Certificate Authorities
First the idea of individual private/public keys for every host that you want to contact has shown to be problematic since you would need a different public key for every host that you connect to. This would also lead to a issues with HTTPS ecommerce sites. Imagine needing a separate key for every secure website you visit. To overcome this scalability issues faced by HTTPS and TSL regarding PKI, trusted Certificate Authorities (CAs) were established. CAs, issue Digital Certificates which are small data files that contain identity credentials which have been signed by the CA’s private key. The idea being that the Intermediate Certificate Authority (ICA) is trusted to the root CA.
Additionally, both the server and client trust the same ICA. Thus if the ICA’s public key can read either digital certificate, then it is a trusted verified entity to the other. Digital Certificates are what provides authenticity and non-repudiation to online websites, people, and devices.
The OpenVPN Handshake
We have discussed the handshake in many of our VPN reviews. Let us take a look at how this handshake works in OpenVPN. It can be thought of as four messages between the client and the server:
Message 1
The client sends a hello message to initiate the handshake. This greeting includes a list of ciphers that the client supports and a random bit. It also includes the versions of SSL/TSL it will allow.
Message 2
The server returns the hello message. The server greeting sends the server certificate which includes its public key that has been signed by the CA private key. It also chooses and sends a cipher from the highest SSL/TSL version common between the client and server. It then sends the parameter necessary to generate the server’s half of the common key (RSA, DHE, ECDHE, etc.).
Message 3
Message 3The client uses the CA public key to verify the server identity and then recovers its public key. The client then uses the server public key on the message to get the server’s parameter to generate the pre-master secret. It then sends its certificate to the server if requested. The client also uses the server’s public key to encrypt the pre-master secret as part of the Client Key Exchange/Generation step. It then calculates the master key and switches to the chosen cipher. Next it performs a hash value of the entire handshake, encrypts it with the chosen cipher, and sends it to the server to make sure they are on the same page regarding everything discussed during the handshake. The HMAC provides authentication and non-repudiation for the test.
The server uses the CA public key to authenticate the client. Only the server has the private key necessary to resolve the pre-master. Once it does this it calculates the shared master. Once both ends are authenticated, four different keys are generated: an HMAC send key, an HMAC receive key, an encrypt/decrypt send key, and an encrypt/decrypt receive key during the key generation step.
Message 4
The server changes to the chosen cipher, decrypts the message sent by the client and checks to see that they agree. It then creates its own HMAC finish test and sends it to the client. Once the client decrypts this and both sides agree that everything was sent and received correctly, the handshake completes.
Subsequent Symmetric Message Encryption
All subsequent messages will be encrypted using the chosen cipher and use HMAC for data integrity, authentication, and non-repudiation. Keys will periodically be regenerated through a separate control channel to provide perfect forward secrecy for the connection with a transition period between key changes so it causes minimal interference.
Cipher Example
An example of a typical cipher is DHE–RSA–AES256–SHA256. The parts of the cipher are as follows:
- DHE – means to use Diffie-Hellman key exchange with ephemeral keys which provides perfect forward secrecy
- RSA – uses certificates for authentication of entities (should use at least 2048 bit).
- AES256 – is the symmetric encryption used for confidential messaging.
- SHA256 – represents the Message Authentication Code (HMAC) used for message authentication and integrity.
Features of OpenVPN
The previous material shows how OpenVPN software uses OpenSSL as the basis of its core security. It also has configuration options that help to make it more secure against unknown attacks and other coding to improve your security. Specifically, it isolates the security code from the transport code which makes it easily portable to a variety of operating systems. Other features of OpenVPN include:
- Flexibility – run using TAP (ethernet bridging) and TUN (tunnel IP routing) adapters.
- Performance – the code runs fast and has no hard limits on tunnels supported.
- NAT transversal – is made easier.
- Multiple authentication – methods which include pre-shared keys and PKI certificates with perfect forward secrecy support.
- Ease of configuration – means someone with some technical security and networking knowledge can install it while still maintaining a high level of security unlike IPSec based VPNs. Novice users who want to use the latest OpenVPN Inc. OpenVPN security should check out their VPN service Private Tunnel. You can also check out our list of best personal VPNs.
It also allows for load balancing and failover by using simple rules and IP tables. Finally OpenVPN Access Server allows for central management which makes it an ideal solution for enterprises of all sizes.
Complete VPN Solution for the Individual, SME, or Enterprise
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages. It can be installed on Windows, MAC, Linux, Android, and iOS environments. It supports a wide range of configurations. This includes everything from secure and granular remote access to you own internal network, centralized control of a small business network, to fine-grained control of virtual appliances and private cloud network resources.
OpenVPN Access Server consists of three major components:
- OpenVPN Server – The VPN server is the underlying component in OpenVPN Access Server that does all of the background work. It comes with a Web GUI that helps to manage the underlying components of the VPN server.
- Admin Web Interface/Admin UI – The Admin Web Interface makes for an easier management interface in OpenVPN Access Server. In the Admin Web Interface an administrator can manage VPN options like routing, user permissions, server network settings, authentication, and certificates.
- Connect Client – The Connect Client Interface is a component of OpenVPN Access Server that allows users to connect to the VPN directly through their web browser. The Connect Client also gives the user options to download their configuration files which can be used on other OpenVPN clients.
Free Test Server
You can download OpenVPN Access Server for free. It comes with two free client licenses for testing purposes. This means you can create a secure personal VPN network by putting the server software on your home PC and then install the client on your laptop and mobile device. This would allow you to access your home network securely and remotely from both devices.
VPN for Small to Medium Enterprises
If after downloading and testing OpenVPN Access Server you want to scale it up, it scales easily to the size of your business. You can buy more client licenses. Each license cost $15/year and they are sold in banks of ten, This means you must buy at least 10 licenses for a total of $150. They offer discounts on extra year terms.
The server software can also be run on physical machines or as a virtual appliance for VMWare and Microsoft Hyper-V Virtualization Platform. Purchasing additional licenses entitles you to use their ticketing system for support questions or issues specifically related to the OpenVPN Access Server product. You can then access their support ticket system through their website to submit a support ticket. Requests filed in the ticketing system are answered on a best-effort basis.
VPN for the Enterprise and Cloud
OpenVPN Access Server is a full featured secure network tunneling VPN Cloud solution. IT integrates the OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages together. It can accommodate Windows, Mac and Linux OS environments. OpenVPN Access Server can work with Amazon Cloud, Microsoft Azure, and Google Cloud. The cost is based on bring your own license (BYOL) + incurred cloud cost.
OpenVPN Connect
Installing OpenVPN Connect
OpenVPN Connect can be downloaded from the Google Play store. It is the official VPN application for Android developed by OpenVPN, Inc. It is a universal client serving the full suite of OpenVPN products:
- Private Tunnel – is a personal VPN service offered by OpenVPN Inc.
- Access Server – provides a server solution for everything from SMBs to enterprises.
- OpenVPN Compatible Server – is a solution for self-hosted servers or OpenVPN compatible VPNs.
OpenVPN Connect works seamlessly across all devices, no matter the complexity of your organization or your bandwidth.
Using OpenVPN Connect
You will need an existing OpenVPN Compatible Server, Access Server, or Private Tunnel subscription, depending on the service you want to use:
If you want a personal VPN service, then tap on “Private Tunnel”. Enter your credentials if you already have an account. Else, you can sign up for their 7-day free trial. Tapping on “Access Sever” will open the profile screen. Enter the hostname, username, and password supplied by your administrator to access your business VPN network. Finally, you can us the “OVPN Profile” to import an .ovpn file from the compatible service.
No matter which choice you make, you will have access to some of the best OpenVPN security available. All of your Internet traffic will be securely encrypted with and tunneled to your destination server.
Conclusions
OpenVPN Inc. is the company behind OpenVPN, the de-facto standard of open-source software to secure your Internet communications. It was started as the OpenVPN project in 2002 and has garnered one of the largest communities of users in the open-source space.
The security is primarily by means of the OpenSSL library. However it does have extra security features through its configuration settings. It can be installed as a ethernet bridge by means of the TAP driver or an IP router through the TUN driver. OpenSSL and OpenVPN are two of the most scrutinized open source codes due to their large user base. OpenVPN also undergoes periodic security audits to check for vulnerabilities. When found they are addressed in the next version.
OpenVPN also has a full VPN solution through its OpenVPN Access Server. It is a full featured secure network tunneling VPN solution that integrates OpenVPN server capabilities, enterprise management, simplified OpenVPN Connect UI, and OpenVPN Client software packages. It can be installed on Windows, MAC, Linux, Android, and iOS devices. OpenVPN Access Server supports a wide range of configurations. It can be used to provide a VPN solution for individuals, small to medium businesses, or large enterprises. It can also be run on physical machines, virtual appliances, or in cloud environments.