OpenVPN is a free and open-source software application that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).
OpenVPN allows peers to authenticate each other using pre-shared secret keys, certificates or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signatures and certificate authority. It uses the OpenSSL encryption library extensively, as well as the TLS protocol, and contains many security and control features.
OpenVPN has been ported and embedded to several systems. For example, DD-WRT has the OpenVPN server function. SoftEther VPN, a multi-protocol VPN server, has an implementation of OpenVPN protocol.
This chart will install an OpenVPN server inside a kubernetes cluster. New certificates are generated on install, and a script is provided to generate client keys as needed. The chart will automatically configure dns to use kube-dns and route all network traffic to kubernetes pods and services through the vpn. By connecting to this vpn a host is effectively inside a cluster’s network.
OpenVPN Community Software
With OpenVPN, you can:
- tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port,
- configure a scalable, load-balanced VPN server farm using one or more machines which can handle thousands of dynamic connections from incoming VPN clients,
- use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic as it transits the internet,
- use any cipher, key size, or HMAC digest (for datagram integrity checking) supported by the OpenSSL library,
- choose between static-key based conventional encryption or certificate-based public key encryption,
- use static, pre-shared keys or TLS-based dynamic key exchange,
- use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization,
- tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients,
- tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules,
- tunnel networks over NAT,
- create secure ethernet bridges using virtual tap devices, and
- control OpenVPN using a GUI on Windows or Mac OS X.
What distinguishes OpenVPN from other VPN packages?
- OpenVPN’s principal strengths include cross-platform portability across most of the known computing universe, excellent stability, scalability to hundreds or thousands of clients, relatively easy installation, and support for dynamic IP addresses and NAT.
- OpenVPN provides an extensible VPN framework which has been designed to ease site-specific customization, such as providing the capability to distribute a customized installation package to clients, or supporting alternative authentication methods via OpenVPN’s plugin module interface (For example the openvpn-auth-pam module allows OpenVPN to authenticate clients using any PAM authentication method — such methods may be used exclusively or combined with X509 certificate-based authentication).
- OpenVPN offers a management interface which can be used to remotely control or centrally manage an OpenVPN daemon. The management interface can also be used to develop a GUI or web-based front-end application for OpenVPN.
- On Windows, OpenVPN can read certificates and private keys from smart cards which support the Windows Crypto API.
- OpenVPN uses an industrial-strength security model designed to protect against both passive and active attacks. OpenVPN’s security model is based on using SSL/TLS for session authentication and the IPSec ESP protocol for secure tunnel transport over UDP. OpenVPN supports the X509 PKI (public key infrastructure) for session authentication, the TLS protocol for key exchange, the OpenSSL cipher-independent EVP interface for encrypting tunnel data, and the HMAC-SHA1 algorithm for authenticating tunnel data.
- OpenVPN is built for portability. At the time of this writing, OpenVPN runs on Linux, Solaris, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Windows (2000/XP and later versions). Because OpenVPN is written as a user-space daemon rather than a kernel module or a complex modification to the IP layer, porting efforts are dramatically simplified.
- OpenVPN is easy to use. In general, a tunnel can be created and configured with a single command (and without any required configuration files). OpenVPN’s documentation contains examples illustrative of its ease of use.
- OpenVPN has been rigorously designed and tested to operate robustly on unreliable networks. A major design goal of OpenVPN is that it should be as responsive, in terms of both normal operations and error recovery, as the underlying IP layer that it is tunneling over. That means that if the IP layer goes down for 5 minutes when it comes back up, tunnel traffic will immediately resume even if the outage interfered with a dynamic key exchange which was scheduled during that time.
- OpenVPN has been built with a strongly modular design. All of the crypto is handled by the OpenSSL library, and all of the IP tunneling functionality is provided through the TUN/TAP virtual network driver. The benefits of this modularity can be seen, for example, in the way that OpenVPN can be dynamically linked with a new version of the OpenSSL library and immediately have access to any new functionality provided in the new release. For example, when OpenVPN is built with the latest version of OpenSSL (0.9.7), it automatically has access to new ciphers such as AES-256 (Advanced Encryption Standard with 256 bit key) and the encryption engine capability of OpenSSL that allows utilization of special-purpose hardware accelerators to optimize encryption, decryption, and authentication performance. In the same way, OpenVPN’s user-space design allows straightforward porting to any OS which includes a TUN/TAP virtual network driver.
- OpenVPN is fast. Running Redhat 7.2 on a Pentium II 266mhz machine, using TLS-based session authentication, the Blowfish cipher, SHA1 authentication for the tunnel data, and tunneling an FTP session with large, pre-compressed files, OpenVPN achieved a send/receive transfer rate of 1.455 megabytes per second of CPU time (combined kernel and user time).
- While OpenVPN provides many options for controlling the security parameters of the VPN tunnel, it also provides options for protecting the security of the server itself, such as –chroot for restricting the part of the file system the OpenVPN daemon has access to, –user and –group for downgrading daemon privileges after initialization, and –mlock to ensure that key material and tunnel data is never paged to disk where it might later be recovered.
Does OpenVPN support IPSec or PPTP?
- There are three major families of VPN implementations in wide usage today: SSL, IPSec, and PPTP. OpenVPN is an SSL VPN and as such is not compatible with IPSec, L2TP, or PPTP.
- The IPSec protocol is designed to be implemented as a modification to the IP stack in kernel space, and therefore each operating system requires its own independent implementation of IPSec.
- By contrast, OpenVPN’s user-space implementation allows portability across operating systems and processor architectures, firewall and NAT-friendly operation, dynamic address support, and multiple protocol support including protocol bridging.
- There are advantages and disadvantages to both approaches. The principal advantages of OpenVPN’s approach are portability, ease of configuration, and compatibility with NAT and dynamic addresses. The learning curve for installing and using OpenVPN is on par with that of other security-related daemon software such as ssh.
- Historically, one of IPSec’s advantages has been multi-vendor support, though that is beginning to change as OpenVPN support is beginning to appear on dedicated hardware devices.
- While the PPTP protocol has the advantage of a pre-installed client base on Windows platforms, analysis by cryptography experts has revealed security vulnerabilities.
OpenVPN offers various internal security features. It has up to 256-bit encryption through OpenSSL library, although some service providers may offer lower rates, effectively providing some of the fastest VPN available to consumers. It runs in userspace instead of requiring IP stack (therefore kernel) operation. OpenVPN has the ability to drop root privileges, use mlockall to prevent swapping sensitive data to disk, enter a chroot jail after initialization and apply a SELinux context after initialization.
OpenVPN runs a custom security protocol based on SSL and TLS rather than support IKE, IPsec, L2TP or PPTP. OpenVPN offers support of smart cards via PKCS#11-based cryptographic tokens.
OpenVPN can be extended with third-party plug-ins or scripts, which can be called at defined entry points. The purpose of this is often to extend OpenVPN with more advanced logging, enhanced authentication with username and passwords, dynamic firewall updates, RADIUS integration and so on. The plug-ins are dynamically loadable modules, usually written in C, while the scripts interface can execute any scripts or binaries available to OpenVPN. In the OpenVPN source code, there are some examples of such plug-ins, including a PAM authentication plug-in. Several third-party plug-ins also exist to authenticate against LDAP or SQL databases such as SQLite and MySQL.