As the name suggests, OpenVPN is an open source VPN package. What isn’t immediately obvious is that, rather than using the more popular PPTP or L2TP/IPsec VPN protocols, OpenVPN uses SSL/TLS (using the OpenSSL toolkit). I’ve been playing with this free product for the last week and have been very impressed.
While PPTP and L2TP/IPsec are certainly the more popular VPN technologies, just by taking a look at their Wikipedia pages (here and here) it would seem that they are neither the most secure nor the most straight forward to set up.
While I can’t say that OpenVPN has the most user-friendly setup process, with good instructions it’s fairly straight-forward and, once it’s up and running, it’s mightily secure. In fact, from the outside world, it’s nearly impossible to detect it’s even there (but more on that later).
OpenVPN works in a client-server arrangement. On your host network, you install a copy and drop in a config file to designate it as the server. You then generate the client-server SSL/TLS certificate pairs and set up passwords, ports, etc. Once that’s done, you can port forward from your router to the OpenVPN server on your host network, allowing you to access it from remote networks.
On the client (eg. your laptop), you run the same install file, but use a client config file. You then drop the certificate files you just created onto the client machine and boom, you have yourself a VPN.
While it’s not quite as easy as I’m making it out to be, as I’ll explain, it’s well worth the hour or two (plus the inevitable time for annoying mistakes).
The reason I’m so pro-OpenVPN is that it implements some very cool technologies. The first being SSL/TLS for tunneling. Being so widely used on the web, this protocol has been proven to be secure. In addition, it is also very routable and you can change the inbound port number on your router to work on 80, 443, etc if you think you’ll be working on restrictive networks.
Using SSL/TLS also means that you’re using certificates for authentication. OpenVPN let’s you generate 2048-bit certificate pairs, so unless an attacker actually has a client certificate, they can forget it. Even if your laptop was stolen, your certificate can be password protected, giving you plenty of time to delete the certificate pair from the server to render it useless.
Another nice touch is the option to use UDP, which is much less susceptible to attack due to its connectionless nature. I also like the flexibility to choose any encryption cipher in the OpenSSL toolkit, including the speedy yet secure AES-128.
But, in my opinion, what seals the deal is a lesser known feature called TLS-AUTH. As I mentioned briefly, even with OpenVPN running and with port forwarding on, it’s impossible for anyone but the client machines to solicit a response from your OpenVPN server. That’s because, with TLS-AUTH turned on, the server requires that all handshake packets be signed with a predefined cryptographic string, called an HMAC signature. This signature is stored in one of the files you copy to each client. Any packets sent to the server that haven’t been authenticated with this signature are dropped cold, so it appears to the would-be attacker that there is no machine at all.
On top of all this, initiating a VPN tunnel from a your laptop couldn’t be easier. You double click a system tray icon, enter a password and it’s done. From then on it’s just like you are plugged into the host network. You can browse file shares, use network services (eg. VoIP or Exchange) and browse out through the host internet connection. It’s nice when you can get this level of functionality for such a small sacrifice to security and I can certainly say that OpenVPN has the best functionality to security ratio that I’ve seen. In addition, it’s free.
In the next few days I’ll be posting a comprehensive guide to setting up OpenVPN. It will be based on a couple of guides I’ve used, official documentation and a lot of Googling. I hope it’ll prove useful.
In the meantime, if you’d like to read up on OpenVPN security, just Google it. There are a bunch of good articles.
EDIT: The guide is finished, you can can view it here.