wikiOpenVPN basics
OpenVPN is a free software for setting up a virtual private network (VPN) via encrypted TLS/SSL connections. The encryption is made via OpenSSL. UDP or TCP can be chosen as transport protocol. OpenVPN offers the pre-shared key process or certificates as authentication method. OpenVPN is licensed under GNU GPL[1] (General Public License).[2]
Characteristics
OpenVPN offers the following characteristics:
- tunneling of any sub network or virtual Ethernet adapter via individual TCP or UDP port
- configuration of scalable, load-balancing VPN server farm for thousands of client connections
- OpenVPN can access all encryption, authentication, and certification features of the OpenSSL library
- The authentication is made via conventional static key (pre-shared key) or certificate based public-key encryption
- OpenVPN bridging (tap) and routing (tun) are offered as operating modes
- Network tunnels via dynamic endpoints (DHCP or dial-in), via connection- and state-oriented firewalls, or NAT networks
- control via GUI on Windows and OS X clients.
Advantages
The communication via OpenVPN offers numerous advantages:[3]
- supports a lot of operating systems (for example Linux, Solaris, div. BSD, OS X and Windows as well as iOS and Android)[4]
- stability
- scalability (thousands of clients)
- simple installation
- dynamic IP-addresses and NAT
- OpenSSL safety model
- SSL/TLS and X509 PKI (Public Key Infrastructure) for session authentication
- IPsec ESP protocol for safe tunnel transport via UDP[5]
Authentication
As already mentioned in the introduction, the authentication can be made via two different ways. Either via a static key (pre-shared key) or via certificates.
The authentication via pre-shared key (PSK) represents a symetric procedure. The key is created on the OpenVPN server and is distributed to the client. This connection is established between a server and a client. The data is encrypted and decrypted during the communication between the clients and the server with the PSK. The procedure is therefore easy to use. However, there is the disadvantage that the key must not be lost or compromised. [6][7]
You will find information on the setup in the following article: OpenVPN with Pre-shared Key.
Certificate based
The certificate based authentication via TLS-protocol is currently the safest procedure. It is based on private and public key pairs or X.509-certificates. The OpenVPN server and the clients each have a private and a public certificate. OpenVPN provides a collection of scripts for conveniently creating the necessary certificates with the easy-rsa package. The disadvantage compared to the pre-shared key method is the greater complexity and configuration effort involved.[8]
Communication
A VPN with OpenVPN can connect clients to a server (road warrior) or enable a site-to-site connection between two or more locations. The router must either have a fixed IP address or be available with the help of a dynamic DNS-entry. By default, OpenVPN is configured via the stateless UDP protocol with the default port 1194. It can also be activated via TCP protocol if UDP is blocked in the network.[9] The HTTPS-port 443 is suitable, as it is opened in most networks.
Network modes
OpenVPN offers currently two different network modes:[10][11][12]
- Bridging (TAP-device)
- Routing (TUN-device)
The routing mode (TUN-device) is recommended as more efficient and modern method.
Bridging (TAP-Device)
In bridging mode, Ethernet frames (Layer 2) are tunneled in their entirety. Here, it is possible to use alternative protocols such as IPX or also sending of Wake-On-LAN packages. The client is transparently dialed into the dial-up network and receives an IP address from the local subnet. Therefore, broadcasts are also forwarded to enable, for example, the name resolution of the SMB-protocol.
| advantages | disadvantages |
|---|---|
|
|
Routing (TUN-device)
The routing mode creates an encrypted tunnel, in which only IP-packages (Layer3) are led. Each remote station is assigned a virtual IP address from a fictitious subnet. The access on the underlying network is not possible by default, but it can be enabled with IP-forwarding and entries in the routing table of the firewall.
| advantages | disadvantages |
|---|---|
|
|
References
- ↑ M 5.148 Secure connection of an external network with OpenVPN (bsi.bund.de)
- ↑ OpenVPN (openvpn.net)
- ↑ OpenVPN (wiki.ubuntuusers.de)
- ↑ Why OpenVPN? (openvpn.net)
- ↑ IPsec Encapsulating Security Payload (de.wikipedia.org)
- ↑ Static Key Mini-HOWTO (openvpn.net)
- ↑ OpenVPN Pre-shared Key (de.wikipedia.org)
- ↑ OpenVPN certificate-based (de.wikipedia.org)
- ↑ Why does OpenVPN use UDP and TCP? (openvpn.net/faq)
- ↑ Determining whether to use a routed or bridged VPN (openvpn.net)
- ↑ Comparison TUN/TAP (wiki.openvpn.eu)
- ↑ Bridging vs. Routing (community.openvpn.net)
 |
Author: Thomas Niedermeier Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.
|
 |
Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.
|
