Advantages of OpenVPN
With the advent of OpenVPN a new generation of VPN entered the scene. While other VPN solutions often use proprietary or non-standard mechanisms, OpenVPN has a modular concept, both for underlying security and for networking. OpenVPN uses the secure, stable, and lauded SSL/TLS mechanisms and combines them in its own reliability layer. It does not suffer from the complexity that characterizes other VPN implementations like the market leader IPsec. At the same time, it offers possibilities that go beyond every other VPN implementation's scope.
- Layer 2 and Layer 3 VPN: OpenVPN offers two basic modes, which run either as Layer 2 or Layer 3 VPN. Thus, OpenVPN tunnels on Layer 2 can also transport Ethernet frames, IPX packets, and Windows Network Browsing packets (NETBIOS), all of which are problems in most other VPN solutions.
- Protecting field workers with the internal firewall: A field worker connected to the central branch of their company with a VPN tunnel can change the network setup on their laptop so that all of their network traffic is sent through the tunnel. Once OpenVPN has established a tunnel, the central firewall in the company's central branch can protect the laptop, even though it is not a local machine. Only one network port must be opened to the local (customers') network by the field worker. The employee is protected by the central firewall whenever he is connected to the VPN. Even better, the administrator of the central VPN server can force the client to use the central firewall by imposing configuration options on the clients.
- OpenVPN connections can be tunneled through almost every firewall and proxy: If you have Internet access and can access HTTPS web sites, then OpenVPN tunnels should work. Setups where OpenVPN tunnels are banned are very rare. OpenVPN has full proxy support including authentication.
- Server and client mode, UDP and TCP support: OpenVPN can be configured to run as a TCP or UDP service and as a server or client. As a server, OpenVPN simply waits until a client requests a connection, whereas a client establishes a connection according to its configuration. A server on the Internet can be completely shut down from any other machine except the ones in its virtual private network, which extends the security level of such systems enormously.
- Only one port in the firewall must be opened to allow incoming connections: Since OpenVPN 2.0, the special server mode allows multiple incoming connections on the same TCP or UDP port, while still using different configurations for every single connection.
- No problems with NAT: Both OpenVPN server and clients can be within a network using only private IP addresses. Every firewall can be used to send the tunnel traffic to the other tunnel endpoint.
- Virtual interfaces allow flexible very specific networking and almost every imaginable firewall rule: All restrictions, mechanisms like forwarding, and concepts like NAT (Network Address Translation) or package mangling (changing the metadata of network datagrams, like some firewalls do) can be used with and within OpenVPN tunnels. Any IP Protocol is possible. Yes, you can tunnel VPNs, like IPsec, inside an OpenVPN tunnel.
- High flexibility with extensive scripting possibilities: OpenVPN offers numerous points during connection setup to start individual scripts. These scripts can be used for a great variety of purposes from authentication to failover and more.
- Transparent, high-performance support for dynamic IPs: By using OpenVPN, there is no longer a need to use expensive, static IPs on either side of the tunnel. Both tunnel endpoints can have cheap DSL access with dynamic IPs. The users will rarely notice a change of IP on either side, Windows Terminal Server and Secure Shell (SSH) sessions will only seem to hang for few seconds, but they will not terminate and will carry on with the action requested after a short pause. All traffic can be compressed through the LZO library and OpenVPN continuously checks if the compression has been successful. So-called adaptive compression merely 'zips' the uncompressed data to avoid unnecessary overhead.
- Simple installation on any platform: Both installation and use are incredibly simple. Especially, if you have tried to set up IPsec connections with different implementations, you will find OpenVPN appealing.
- Modular Design: The modular design with a high degree of simplicity both in security and networking is outstanding. No other VPN solution can offer the same options at this level of security.
- Support for mobile and embedded: More and more mobile devices are supported. Packages for Windows Mobile and Nokia's Maemo platform, and embedded operating systems like OpenWrt/FreeWrt have all been provided for recently, and there are many others in development.
- Very active community: OpenVPN has acquired a huge amount of fans in the last few years. There are installations with high volume users with high availability.
History of OpenVPN
According to an interview on http://linuxsecurity.com published in 2003, James Yonan was traveling in Central Asia in the days prior to September 11, 2001 and connecting to his office over Asian or Russian Internet Providers.
The fact that these connections were established over servers in countries with very dubious security made him more and more aware of and concerned about security issues. His research revealed that there were two main streams in VPN technology, one promoting security, and the other usability. None of the solutions available at that time offered an ideal blend of both objectives. IPsec and all of its implementations were difficult to set up, but offered acceptable security. However, its complex structure made it vulnerable to attacks, bugs, and security flaws. Therefore, the networking approach Yonan found in some of the usability camp's solutions seemed to make more sense to him, leading him to a modular networking model using the TUN/TAP virtual networking devices that are provided by the Linux kernel.
After some study of the open source VPN field, my conclusion was that the 'usability first' camp had the right ideas about networking and inter-network tunneling, and the SSH, SSL/TLS, and IPSec camps had the appropriate level of seriousness toward the deep crypto issues. This was the basic conceptual starting point for my work on OpenVPN.
James Yonan in a LinuxSecurity.com interview on November 10, 2003. (http://www.linuxsecurity.com/content/view/117363/49/)
Choosing the TUN/TAP devices as a networking model immediately offered a flexibility that other VPN solutions could not offer. While other SSL/TLS-based VPN solutions needed a browser to establish connections, OpenVPN would prepare almost real (but still virtual) network devices, on which almost all networking activities can be carried out.
Yonan then chose the name OpenVPN with respect to the libraries and programs of the OpenSSL project and because of the clear message that this is open source and free software.
OpenVPN Version 1
OpenVPN entered the scene of VPN solutions on May 13, 2001 with an initial release that could barely tunnel IP packets over UDP, and could only encrypt with Blowfish cipher and SHA HMAC signatures (secure encryption and signing methods). This version was already numbered 0.90, which seemed ambitious, as only one version (0.91) followed in 2001, offering extended encryption support. For SSL/TLS support, users would have to wait for almost one year after the first release. Version 1.0 was released in March 2002 and provided SSL/TLS-based authentication and key exchange. This version was also the first to contain documentation in the form of a manpage.
Then, OpenVPN development picked up speed. Only five days later, version 1.0.2 was released, which was the first version with added adaptations for RPM-based systems. From this version onwards, releases were published almost regularly every four to eight weeks.
The following table gives an overview of the releases and lists the dates and versions when certain selected features were added to the 1.x version of OpenVPN. More details can be found in the Change Log sections of the OpenVPN website at http://openvpn.net/changelog.html and release notes at http://openvpn.net/relnotes.html.
OpenVPN Version 2
Parallel to the improvement and development of OpenVPN version 1, the test bed for OpenVPN version 2 was created in November 2003. In February 2004, version 2.0-test3 initially prepared the goal for a multi-client server for OpenVPN. This multi-client server is one of the most outstanding features of OpenVPN today. Several clients can connect to the VPN server on the same port. On February 22, 2004, the two development branches, 1.6-beta7 and 2.0-test3, were merged and further development was continued in the branch of version 2.
There were fewer than 29 versions labeled as 'test' versions, 20 beta versions, and 21 release candidates, until on April 17, 2005, OpenVPN version 2.0 was released. This was only possible because of the great number of developers who were contributing to the project, fixing bugs, and improving performance and stability permanently.
The following list will give a brief overview of the new features that were added to OpenVPN version 2:
- Multi-client support: OpenVPN offers a special connection mode, where TLS-authenticated clients (that are not blacklisted on the CRL) are provided in DHCP-style with IPs and networking (tunnel) data. This way, several tunnels (up to 128) can communicate over the same TCP or UDP port. Obviously, a mode control switch for activating the server mode became necessary.
- Push/pull options: The Network setup of clients can be controlled by the server. After the successful setup of a tunnel, the server can tell the client (both Windows and Linux) to use a different network setup instantaneously.
- A management interface (Telnet) is added.
- The Windows driver and software have been improved extensively.
The current stable version of OpenVPN is version 2.0.9 released on October 1, 2006. There are many reports on the mailing lists that the release candidates of version 2.1 are very stable and usable in enterprise environments also. Use them at your own risk.
The road to version 2.1
Since the middle of 2005, the developers of OpenVPN have been continuously working towards the newest version of OpenVPN, that is, 2.1. At the time of writing (late 2008), the fifteenth release candidate is the most up-to-date version of OpenVPN. The following table shows the improvements that the programmers added along the way:
In addition to the stable version of 2.1, a commercial version 3.0 is in progress. Perhaps you have noticed that from the beginning of October 2008, the copyright of OpenVPN has changed to OpenVPN Technologies, INC., a company founded by James Yonan. This company is developing several products based on OpenVPN for business setups. Both a version with commercial support and a hardware appliance, services and support, and a web-based management interface shall be available soon. Since 2008, the OpenVPN website's redesign has reflected a professional approach towards business customers.
In this article we have covered the advantages and the release history of OpenVPN. In the next article we will discuss the basic networking concepts of OpenVPN, and also have a brief look at the configuration.
If you have read this article you may be interested to view :
- New Features of OpenVPN 2.1 and 2.2 [Article]
- Troubleshooting OpenVPN 2: Configurations [Article]
- Networking with OpenVPN
- Installing OpenVPN on Linux and Unix Systems: Part 1
- Installing OpenVPN on Linux and Unix Systems: Part 2