OpenVPN

OpenVPN is an accessible antecedent software appliance that accouterments basic clandestine arrangement (VPN) techniques for creating defended point-to-point or site-to-site admission in baffled or bridged configurations and limited admission facilities. It uses a custom aegis protocol2 that utilizes SSL/TLS for key exchange. It is able of traversing arrangement abode translators (NATs) and firewalls. It was accounting by James Yonan and is appear beneath the GNU General Public License (GPL).3

OpenVPN allows aeon to accredit anniversary added application a pre-shared abstruse key, certificates, or username/password. When acclimated in a multiclient-server configuration, it allows the server to absolution an affidavit affidavit for every client, application signature and Affidavit authority. It uses the OpenSSL encryption library extensively, as able-bodied as the SSLv3/TLSv1 protocol, and contains abounding aegis and ascendancy features.

Architecture

Encryption

OpenVPN uses the OpenSSL library to accommodate encryption of both the abstracts and ascendancy channels. It lets OpenSSL do all the encryption and affidavit work, acceptance OpenVPN to use all the ciphers accessible in the OpenSSL package. It can aswell use the HMAC packet affidavit affection to add an added band of aegis to the affiliation (referred to as an "HMAC Firewall" by the creator). It can aswell use accouterments dispatch to get bigger encryption performance.45 Support for PolarSSL is advancing in adaptation 2.3

edit Authentication

OpenVPN has several means to accredit aeon to anniversary another. OpenVPN offers pre-shared keys, certificate-based, and username/password-based authentication. Preshared abstruse key is the easiest, with affidavit based getting the a lot of able-bodied and feature-rich. In adaptation 2.0 username/password authentications can be enabled, both with or after certificates. However to accomplish use of username/password authentications, OpenVPN depends on third-party modules. See the Extensibility branch for added info.

Networking

OpenVPN can run over User Datagram Agreement (UDP) or Transmission Control Agreement (TCP) transports, multiplexing created IPsec ESP tunnels on a individual TCP/UDP portcitation needed (RFC 3948 for UDP).6 It has the adeptness to plan through a lot of proxy servers (including HTTP) and is acceptable at alive through Arrangement abode adaptation (NAT) and accepting out through firewalls. The server agreement has the adeptness to "push" assertive arrangement agreement options to the clients. These cover IP addresses, acquisition commands, and a few affiliation options. OpenVPN offers two types of interfaces for networking via the Universal TUN/TAP driver. It can actualize either a layer-3 based IP adit (TUN), or a layer-2 based Ethernet TAP that can backpack any blazon of Ethernet traffic. OpenVPN can optionally use the LZO compression library to abbreviate the abstracts stream. Anchorage 1194 is the official IANA assigned anchorage amount for OpenVPN. Newer versions of the affairs now absence to that port. A affection in the 2.0 adaptation allows for one action to administer several accompanying tunnels, as adjoin to the aboriginal "one adit per process" brake on the 1.x series.

OpenVPN's use of accepted arrangement protocols (TCP and UDP) makes it a adorable another to IPsec in situations area an ISP may block specific VPN protocols in adjustment to force users to subscribe to a higher-priced, "business grade," account tier.

edit Security

OpenVPN offers several centralized aegis features. It runs in userspace, instead of acute IP assemblage (and accordingly kernel) operation. OpenVPN has the adeptness to bead basis privileges, use mlockall to anticipate swapping acute abstracts to disk, access a chroot bastille afterwards initialization and administer a SELinux ambience afterwards initialization.

OpenVPN runs a custom aegis agreement based on SSL and TLS2. OpenVPN offers abutment of acute cards via PKCS#11 based cryptographic tokens.

edit Extensibility

OpenVPN can be continued with third-party plug-ins or scripts which can be alleged at authentic access points.78 The purpose of this is generally to extend OpenVPN with added avant-garde logging, added affidavit with username and passwords, activating firewall updates, RADIUS affiliation and so on. The plug-ins are dynamically loadable modules, usually accounting in C, while the scripts interface can assassinate any scripts or binaries accessible to OpenVPN. In the OpenVPN antecedent cipher 9 there are some examples of such plug-ins, including a PAM affidavit plug-in. There aswell exists several third affair plug-ins to accredit adjoin LDAP or SQL databases such as SQLite and MySQL. There is an overview over abounding of these extensions in the accompanying activity wiki page for the OpenVPN community.

Platforms

It is accessible on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX, Mac OS X, and Windows 2000/XP/Vista/7. While a lot of adaptable buzz OSes (iOS, Palm OS, etc) do not abutment OpenVPN, it is accessible for Maemo,10 Windows Adaptable 6.5 and below,11 and Android accessories which accept had the Cyanogenmod aftermarket firmware flashed12 or accept the actual atom bore installed.13 It is not a "web-based" VPN, acceptation that it is not apparent as a web page such as Citrix or TS Web admission - the affairs is installed apart and configured by alteration argument files manually, rather than through a GUI-based wizard. OpenVPN is not accordant with IPsec or any added VPN package. The absolute amalgamation consists of one bifold for both applicant and server connections, an alternative agreement file, and one or added key files depending on the affidavit adjustment used.

Client software

While OpenVPN is a command-line utility, it provides a administration interface accurately advised to acquiesce for enactment and ascendancy of an OpenVPN apparition by alien software14. This has accustomed for the development of a amount of third-party audience that accommodate a GUI for abutting to an OpenVPN server.

Firmware implementations

OpenVPN has been chip into acquisition firmware bales such as Vyatta, pfSense, DD-WRT,1718 OpenWrt19 and Tomato (firmware),2021 acceptance users to run OpenVPN in applicant or server approach from their arrangement routers. A router active OpenVPN in applicant mode, for example, facilitates users aural that arrangement to admission their VPN after accepting to install OpenVPN on anniversary computer on that network.

Community

There are abounding abutment options for OpenVPN. The primary adjustment for association abutment is through the OpenVPN commitment lists. Other sources of support, not anon affiliated with OpenVPN include: