OpenVPN is one of the many protocols supported by virtual private network utilities. In fact, it’s arguably considered the best VPN protocol that perfectly combines speed and security. As such, it can be found in most VPN services and used for encrypting your privacy when going online.
OpenVPN has no known security vulnerabilities as long as the OpenVPN configuration is correct. Therefore, it must meet minimum requirements to ensure security: authorization, handshake, cipher, and Perfect Forward Secrecy.
But let’s back up a little and look under the hood of OpenVPN to see what makes this protocol tick and how to efficiently use it for securing our Internet connections.
What makes OpenVPN so great
Developed by James Yonan and released for public use in 2001, OpenVPN is licensed under GPL. Anyone can freely use this protocol for consumer purposes, which can be also be implemented into commercial software applications for a price. It’s compatible with many platforms and operating systems.
Many VPN protocols support IPsec, PPTP, IKE or L2TP when it comes to the mode of authentication. However, OpenVPN uses a custom security protocol based on SSL/TLS, certificates or a username and password combination to exchange keys between peers. Smart cards can be used, too, with the help of PKCS#11-based cryptographic tokens.
In case there’s a VPN server with multiple clients trying to connect to it, then OpenVPN takes advantage of signatures and certificate authority to assign distinct authentication certificates for every client.
As far as security is concerned, OpenVPN uses up to 256-bit encryption through the OpenSSL library. It also supports 2048-bit RSA authentication, 160-bit SHA1 hashing, and the TLS protocol to encrypt not only the data channel (to encrypt VPN traffic), but also the control channel (to manage key exchange). The main perks of this approach are ease of configuration, portability, as well as compatibility with NAT and dynamic addresses.
It can utilize all ciphers supported by OpenSSL as well as add an extra layer of connection security with HMAC packets, also known as HMAC Firewall. To improve encryption performance, end users can enable hardware acceleration to allocate most system resources to OpenVPN.
There are no recorded security flaws, not even involving the NSA. This can be attributed to the open-source license which allows any users to contribute and fix issues as soon as they are identified.
OpenVPN supports the UDP and TCP transports. This means that it can deliver the best possible Internet speed without concerning about data integrity (UDP – User Datagram Protocol). Alternatively, it can focus on reliability and make sure that no data packets are lost during transfers but while losing sight of Internet speed (TCP – Transmission Control Protocol). When using TCP, OpenVPN doesn’t encounter performance problems if the un-tunneled network connection has plenty of unused bandwidth (to make sure that the tunneled TCP timers don’t expire).
The protocol can also take advantage of both TCP and UDP, in order to create SSL tunnels and multiplex them on a single TCP/UDP port. Thanks to this, OpenVPN has become a viable candidate as opposed to IPsec, for example, especially when facing issues like ISPs blocking particular VPN protocols (to force end users into paying more money for superior services).
OpenVPN has full support for IPv6
Most devices with Internet access are associated with IPv4 addresses. However, there are also computers with IPv6 addresses. This means that, in order to secure your anonymity over the Internet, the VPN client you use must be fully compliant with IPv6 addresses. Otherwise, you’re in danger of exposing your real IPv6 address address on the web.
OpenVPN has full support for the IPv6 protocol, starting with version 2.3.x, enabling OpenVPN clients to secure IPv6 connections. In fact, OpenVPN is compatible with many proxy servers, including HTTP (no proxy, basic proxy or NTLM proxy authentication). Plus, it delivers good results when it comes to NAT traversal and firewalls (so that OpenVPN connections are not rejected by remote firewalls).
Two kinds of networking interfaces can be used with the Universal TUN/TAP driver to create: an IP tunnel based on Layer-3 (TUN) or an Ethernet TAP based on Layer-2 for transferring any type of data over Ethernet.
Thanks to the fact that it’s free, open-source and continuously maintained by the community, the functionality of OpenVPN can be extended with the help of third-party script plugins. For instance, it’s possible to implement alternative authentication methods, enhanced logging, and dynamic firewall updates.
The downloadable OpenVPN source package has sample scripts for PAM (Pluggable Authentication Module), Ethernet bridging, and TLS verification. Other projects are available for LDAP or MySQL authentication and Radiusplugin, among others.
OpenVPN can be installed on multiple types of devices and operating systems, including Windows XP or newer, macOS X 10.8 or newer, Linux, Android 4.0 or newer, iOS 6 or newer, Solaris, QNX, OpenBSD, NetBSD, FreeBSD. As far as mobiles go, the protocol can run on Windows Mobile 6.5 and older, jailbroken iOS 3.1.2 and newer, Maemo, as well as Android with the correct kernel module or Cyanogenmod. It doesn’t work with some mobile OSes, though, like Palm OS.
Unlike other protocols that can be configured through a graphical interface, OpenVPN can be configured by manually editing text files. This is why many casual users accustomed to be GUI consider the protocol to be difficult. The downloaded package contains an executable file (for both server and client), a configuration file (optional) and one or more key files (depending on the preferred method of authentication). Further, OpenVPN cannot be integrated with VPN clients which already have IPsec/L2TP or IPsec/PPTP.
OpenVPN is one of the few VPN protocols that can be installed on routers, in order to provide VPN protection to all devices connected to the same network, without having to install OpenVPN on each device. This is particularly beneficial for devices which don’t normally support OpenVPN (like the previously mentioned Palm OS). What’s more, there’s no limit to the number of connections that can be established from devices to a router.
OpenVPN can be set up to run in server or client mode on multiple firmware packages, including but not limited to Tomato, OpenWrt, pfSense, DD-WRT, Gargoyle, OPNsense, MikroTik and D-Link.
Is OpenVPN free to use?
There are two editions available: OpenVPN Community Edition (Windows, Linux) and OpenVPN Access Server (Windows, Linux, macOS). You can also download OpenVPN Connect for Android and iOS. While Community Edition is free and open-source for personal use only, Access Server brings more features to the table for a price. For example, the free edition doesn’t come with a graphical web interface and simple user management, while the commercial version makes room for LDAP support, RADIUS integration and multi-deamon mode, among others.
Is OpenVPN safe to use?
It’s widely regarded at the best VPN protocol, thanks to the advanced security and enhanced speed, designed to prevent hackers from performing man-in-the-middle attacks. In fact, we think it’s the best VPN protocol.
On the other hand, you should know that Internet traffic routed via OpenVPN can be technically decrypted by ISPs using an advanced packet filtering method called Deep Packet Inspection (DPI), but few ISPs are willing to do this. Users that connect to the Internet via OpenVPN are also safe from employers, school administrators, hackers snooping around public Wi-Fi hotspots, as well as the government.
VPN cloaking for countries with banned VPN
There are some countries which forbid the use of any VPN services, including OpenVPN. In this case, it’s necessary to conceal your VPN traffic to make it look like you’re simply a security-concerned user that’s using normal HTTPS traffic.
Therefore, if you live in a country where VPNs are banned, or if you frequently travel to such countries, check if your VPN services supports VPN cloaking (also known as obfuscation) before paying money for it, as they can help you bypass VPN blocking and network restrictions.
The following virtual private network apps support obfuscation:
- NordVPN: Settings -> General -> Advanced settings -> Obfuscated Servers
- Surfshark: uses traffic obfuscation technologies by default and cannot be disabled
- VyprVPN: Options -> Protocol -> Chameleon
- Private VPN: Advanced -> Stealth VPN
- IPVanish: Settings -> Connection -> Obfuscate OpenVPN traffic
- TunnelBear: Settings -> Security -> GhostBear
Note: If your VPN service doesn’t come equipped with cloaking techniques, you can opt for alternative software solutions provided by Stunnel, Obfsproxy and SSH local port forwarding. PuTTY, MobaXterm and mRemoteNG are just some examples of apps made for SSH local port forwarding.
Thanks to the fact that OpenVPN uses the OpenSSL library, OpenVPN is capable of running on any port you specify. For instance, if it’s configured with TCP over port 443, then OpenVPN traffic will be cloaked as HTTPS traffic, since TCP with port 443 is the HTTPS default. When this happens, Internet Service Providers in countries where VPN services are forbidden will have a tough time telling apart OpenVPN traffic from regular HTTPS traffic.
OpenVPN and Perfect Forward Secrecy
Also known as Forward Secrecy (FS), Perfect Forward Secrecy (PFS) is a technique applied in cryptography to ensure that session keys exchanged between the server and client are not compromised even if a hacker gets hold of the private key from the server.
If a cybercriminal manages to solve the private key used to encrypt the traffic, they would have a very small window during which it would be possible to decrypt the session key: the length of the session. Once the session’s over, the window closes, because past sessions cannot be recalled and decrypted. It’s an incredibly difficult feat, even for a skilled hacker.
OpenVPN benefits from Perfect Forward Secrecy only when used with SSL/TLS authentication.
Why is OpenVPN better than other protocols?
At the beginning of this article, we said that OpenVPN provides top-notch security as long as it’s properly configured. The requirements are not only met by OpenVPN, but also surpassed:
- Authentication: HMAC SHA1
- Cipher: AES-256
- Handshake: RSA-2048
- Perfect Forward Secrecy: with SSL/TLS
Compared to PPTP, L2TP/IPsec, IKEv2/IPsec and other protocols, OpenVPN brings the perfect balance between encryption and speed: it can fully protect your online anonymity, give you unrestricted access to blocked websites, as well as unlock Netflix while minimally affecting your Internet speed.
VPN connections are known to remain stable, without any interruptions, even when using mobile and Wi-Fi networks. Moreover, it can get passed most firewall systems, thanks to the fact that it can use any port on TCP and UDP. The functionality of OpenVPN can be enhanced with the help of scripts. For more information, make sure to check out our article where we analyzed the most popular VPN protocols.
How to use OpenVPN
One of the few disadvantages of OpenVPN is that it doesn’t have native support, which means that it’s not a built-in feature of operating systems, so you have to separately download and configure it. There are two ways to do this: the easy and the hard way.
The easy way: VPN apps with OpenVPN support
The easy way refers to downloading a VPN application that already has support for OpenVPN. It’s the go-to solution for casual users who don’t want to worry about misconfiguring any settings that would weaken the protocol.
On the other hand, this solution may be costly when opting for a premium VPN service. We strongly advise against using free VPN services since they will most likely compromise your privacy as well as harass you with premium offers in the process.
The following VPN apps have been reviewed by our team, support the OpenVPN protocol, and are listed by ranking (based on our own recommendations):
- ExpressVPN: Options -> Protocol -> UDP – OpenVPN and TCP – OpenVPN
- NordVPN: Settings -> General -> Advanced settings -> Protocol -> TCP and UDP. OpenVPN is used by default, but you can select between OpenVPN with TCP and OpenVPN with UDP
- Ivacy: Settings -> Connection -> Select Protocol -> TCP and UDP. Only OpenVPN can be used with TCP and UDP, so you can pick between OpenVPN with TCP and OpenVPN with UDP
- CyberGhost VPN: Settings -> Connection -> Use TCP instead of UDP (by default, OpenVPN uses UDP)
- Mullvad VPN: Settings -> Advanced -> Network protocols -> UDP and TCP. Just as with the previous VPN apps, only OpenVPN is used in combination with TCP and UDP
The hard way: configuring OpenVPN files
Alternatively, if you don’t want to resort to third-party apps, you can go with the completely free option of manually editing OpenVPN files (.ovpn format). But this is tricky for first-time users who typically prefer the set-it-and-leave-it formula.
Once again, we must mention the importance of properly setting OpenVPN, otherwise this can lead to various vulnerabilities. Also, if you go with the hard way, you will miss out on extra security features like split tunneling, kill switch, and DNS leak protection.
The previously mentioned VPN apps have configuration files for OpenVPN, which can be separately downloaded and configured:
- Download OpenVPN files for ExpressVPN
- Download OpenVPN files for NordVPN
- Download OpenVPN files for Ivacy
- Download OpenVPN files for CyberGhost VPN
- Download OpenVPN files for Mullvad VPN
OpenVPN is, without a doubt, the best VPN protocol that can be currently found on the market. But it’s only as strong as its weakest link, making it essential to have a proper protocol configuration. There are numerous VPN apps which support OpenVPN as an easy-to-configure setting within the GUI while also offering configuration files for manual download and setup.