VPN Service >  Privacy News >  What is openVPN

Ivacy

What is openVPN

2018/10/10

VPN literal translation is a virtual private channel, which is a tunnel for secure data transmission between enterprises or between individuals and companies. OpenVPN is undoubtedly the pioneer of open source VPN under Linux, providing good performance and friendly user GUI.

What is openVPN

It makes extensive use of the SSLv3/TLSv1 protocol library in the OpenSSL crypto library.


OpenVPN currently runs on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X and Microsoft Windows, as well as Android and iOS, and includes many security features. It is not a web-based VPN software and is not compatible with IPsec and other VPN packages.


[Introduction]


OpenVPN is an application layer VPN implementation based on the OpenSSL library. Compared to traditional VPNs, it has the advantage of being easy to use.


OpenVPN allows a single point of participation in establishing a VPN to use a shared key, e-Cert, or username/password for authentication. It makes extensive use of the SSLv3/TLSv1 protocol library in the OpenSSL cryptographic library. OpenVPN runs on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X and Windows 2000/XP/Vista and includes many security features. It is not a web-based VPN software and is not compatible with IPsec and other VPN packages.


OpenVPN 2.0 introduced the authentication method of username/password combination, which can omit the client certificate, but there is still a server certificate that needs to be used for encryption. All OpenVPN communication is based on a single IP port. By default, UDP protocol communication is recommended, and TCP is also supported. OpenVPN connections can pass through most proxy servers and work well in a NAT environment. The server has the ability to "push" certain network configuration information to the client, including: IP address, routing settings, and so on. OpenVPN provides two virtual network interfaces: a generic Tun/Tap driver, through which a Layer 3 IP tunnel can be established, or Virtual Layer 2 Ethernet, which can carry any type of Layer 2 Ethernet data. The transmitted data can be compressed by the LZO algorithm. When selecting a protocol, you need to pay attention to the network status between two encrypted tunnels. If there is high delay or more packet loss, please select TCP protocol as the underlying protocol. UDP protocol has no connection and retransmission mechanism. It is very inefficient to retransmit the protocol at the upper layer of the tunnel.


[Analysis]


The software was originally written by James Yonan. OpenVPN allows a single point of participation in establishing a VPN to use a preset private key, a third party certificate, or a username/password for authentication. It makes extensive use of the OpenSSL encryption library and the SSLv3/TLSv1 protocol.


OpenVPN runs on Linux, xBSD, Mac OS X and Windows 2000/XP. It is not a web-based VPN software and is not compatible with IPsec and other VPN packages.


[Principle]


The core of OpenVpn technology is virtual network card, followed by SSL protocol implementation. Since the SSL protocol is more clearly introduced in other entries, here we focus on the virtual network card and its working mechanism in OpenVpn:


The virtual network card is a driver software implemented by the network underlying programming technology. After installation, a network card appears on the host, which can be configured like other network cards. The service program can open the virtual network card at the application layer. If the application software (such as IE) sends data to the virtual network card, the service program can read the data, and if the service program writes the appropriate data to the virtual network card, the application software can also receive the data. . Virtual network cards have corresponding implementations under many operating systems, which is a very important reason why OpenVpn can cross platforms.


In OpenVpn, if a user accesses a remote virtual address (which belongs to the address family used by the virtual network card, which is different from the real address), the operating system sends the data packet (TUN mode) or data frame (TAP mode) through the routing mechanism. After the virtual network card receives the data and performs corresponding processing, it is sent out from the external network through the SOCKET. The remote service program receives the data from the external network through the SOCKET, and performs corresponding processing, and then sends the data to the virtual network card. The software can receive and complete a one-way transmission process and vice versa.


[Encryption]

OpenVPN uses the OpenSSL library to encrypt data and control information: it uses OpenSSL's encryption and authentication capabilities, meaning it can use any OpenSSL-supported algorithm. It provides optional packet HMAC functionality to increase the security of the connection. In addition, OpenSSL hardware acceleration can also improve its performance.


[Verification]

OpenVPN provides a variety of authentication methods to confirm the identity of the participating parties, including: pre-shared private key, third-party certificate and username/password combination. The pre-shared key is the simplest, but at the same time it can only be used to establish a peer-to-peer VPN; PKI-based third-party certificates provide the most complete functionality, but require extra effort to maintain a PKI certificate system. OpenVPN 2.0 introduced the authentication method of username/password combination, which can omit the client certificate, but there is still a server certificate that needs to be used for encryption.

 

[Network]


All OpenVPN communication is based on a single IP port. By default, UDP protocol communication is recommended, and TCP is also supported. OpenVPN connections can pass through most proxy servers and work well in a NAT environment. The server has the function of "pushing" certain network configuration information to the client, including: IP address, routing settings, and the like. OpenVPN provides two virtual network interfaces: a generic Tun/Tap driver, through which a Layer 3 IP tunnel can be established, or a virtual Layer 2 Ethernet, which can carry any type of Layer 2 Ethernet data. The transmitted data can be compressed by the LZO algorithm. The official port assigned to OpenVPN by IANA (Internet Assigned Numbers Authority) is 1194. OpenVPN 2.0 and later versions can manage several concurrent tunnels simultaneously.


The use of Universal Network Protocol (TCP and UDP) features of OpenVPN makes it an ideal alternative to protocols such as IPsec, especially when ISPs (Internet service providers) filter certain VPN protocols.


When selecting a protocol, you need to pay attention to the network status between two encrypted tunnels. If there is high delay or more packet loss, please select TCP protocol as the underlying protocol. UDP protocol has no connection and retransmission mechanism. It is very inefficient to retransmit the protocol at the upper layer of the tunnel.


[Safety]

OpenVPN is inherently equipped with many security features: it runs in user space without modifying the kernel and network stack; after the initial completion, it runs in chroot mode, giving up root privileges; using mlockall to prevent sensitive data from being exchanged to disk.


OpenVPN supports hardware encryption identifiers such as smart cards through PKCS#11.


[Compared]


OpenSSH can implement Layer 2/3 tunnel-based VPN. Stunnel, which uses SSL to provide security for any single-port TCP service.


Recommend several software for openVPN for you


1. CyberGhost          >>Get Deal


Support for OpenVPN, L2TP/IPsec, and IKEv2 (new) VPN protocols


2. Private Internet Access          >>Get Deal


Support PPTP, OpenVPN and L2TP/IPSec   


Related Reading >> Top 10 Best VPN Comparison
TOP