Editing OpenVPN

{{Short description|Free and open-source virtual private network software}}
{{Use dmy dates|date=July 2016}}
{{infobox software
| logo = OpenVPN logo.svg
| logo size = 200px
| screenshot = 
| caption = 
| author = James Yonan
| developer = OpenVPN project / OpenVPN Inc.
| released = {{Start date and age|df=yes|2001|5|13}}<ref>OpenVPN Change Log - [https://github.com/OpenVPN/openvpn2-historical-cvs/blob/d32aa83c2adc6f9fb70e2f0cc32c344f4864e95d/CHANGES#L20 OpenVPN Release Notes]</ref>
| programming language = [[C (programming language)|C]]
| operating system = 
| platform = {{plainlist|
*[[Windows 7]] or later<ref name="OVPN">{{cite web|title=Downloads|url=https://openvpn.net/index.php/open-source/downloads.html|website=openvpn.net|access-date=27 January 2023}}</ref>
*[[OS X Mountain Lion|OS X 10.8]] or later
*[[Android 4.0]] or later<ref>{{cite web|url=https://play.google.com/store/apps/details?id=net.openvpn.openvpn|title=OpenVPN - Android Apps on Google Play}}</ref>
*[[iOS 6]] or later<ref>{{cite web|url=https://itunes.apple.com/us/app/private-tunnel-vpn/id854725970|archive-url=https://web.archive.org/web/20150315013008/https://itunes.apple.com/us/app/private-tunnel-vpn/id854725970|url-status=dead|archive-date=15 March 2015|title=Private Tunnel VPN|date=23 October 2014|work=App Store}}</ref>
*[[Linux]]<ref>{{cite web|url=https://openvpn.net/index.php/access-server/docs/admin-guides/182-how-to-connect-to-access-server-with-linux-clients.html|title=How to connect to Access Server from a Linux computer}}</ref>
*[[*BSD]]<ref>{{cite web|url=https://www.freebsd.org/cgi/ports.cgi?query=openvpn&stype=all|title=FreeBSD Ports Search}}</ref><ref>{{cite web|url=http://openports.se/net/openvpn|archive-url=https://web.archive.org/web/20090518020445/http://openports.se/net/openvpn|url-status=usurped|archive-date=18 May 2009|title=OpenBSD Ports}}</ref><ref>{{cite web|url=http://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/net/openvpn/README.html|title=The NetBSD Packages Collection: net/openvpn}}</ref>
}}
| language = 
| genre = [[Virtual private network|VPN]]
| license = [[GNU GPLv2]]<ref>{{Cite web|url=https://github.com/OpenVPN/openvpn/blob/master/COPYING|title=openvpn_COPYING at master · OpenVPN_openvpn|website=[[GitHub]] |date=2019-07-30|archive-url=https://archive.today/20190731031634/https://github.com/OpenVPN/openvpn/blob/master/COPYING|archive-date=31 July 2019|url-status=live|access-date=2019-07-30}}</ref>
}}

'''OpenVPN''' is a [[virtual private network]] (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both [[client-server architecture|client and server]] applications.

OpenVPN allows [[peer-to-peer|peers]] to [[authentication|authenticate]] each other using [[pre-shared key|pre-shared secret keys]], [[public key certificate|certificates]] or [[user (computing)|username]]/[[password]]. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using [[digital signature|signatures]] and [[certificate authority]].

It uses the [[OpenSSL]] encryption [[Library (computing)|library]] extensively, as well as the [[Transport Layer Security|TLS]] protocol, and contains many security and control features. It uses a custom security protocol<ref name=openvpn-protocol>{{cite web|title=OpenVPN Security Overview|url=http://openvpn.net/index.php/open-source/documentation/security-overview.html|access-date=28 September 2011}}</ref> that utilizes [[Transport Layer Security|SSL/TLS]] for key exchange. It is capable of traversing [[network address translator]]s (NATs) and [[Firewall (computing)|firewall]]s.{{fact|date=July 2022}}

OpenVPN has been ported and embedded to several systems. For example, [[DD-WRT]] has the OpenVPN server function. [[SoftEther VPN]], a multi-protocol VPN server, also has an implementation of OpenVPN protocol.<ref>{{cite web|url=https://opensource.com/article/18/8/open-source-tools-vpn|title=6 open source tools for making your own VPN|last=Bischoff|first=Paul|date=2018-08-31|website=[[Opensource.com]]|language=en|archive-url=https://web.archive.org/web/20180831141210/https://opensource.com/article/18/8/open-source-tools-vpn|archive-date=2018-08-31|url-status=live|access-date=2019-07-30}}</ref>

It was written by James Yonan and is [[free software]], released under the terms of the [[GNU General Public License version 2]] (GPLv2).<ref>LinuxSecurity.com - [http://www.linuxsecurity.com/content/view/117363/49/ OpenVPN: An Introduction and Interview with Founder, James Yonan]</ref> Additionally, commercial licenses are available.<ref>[https://openvpn.net/pricing/ openvpn.net: Pricing], retrieved 12 December 2018</ref>

==Architecture==

===Encryption===

OpenVPN uses the [[OpenSSL]] library to provide [[encryption]] of both the data and control channels. It lets OpenSSL do all the encryption and authentication work, allowing OpenVPN to use all the ciphers available in the OpenSSL package. It can also use the [[HMAC]] packet authentication feature to add an additional layer of security to the connection (referred to as an "HMAC Firewall" by the creator). It can also use hardware acceleration to get better encryption performance.<ref>{{cite book|author=Andrew Lockhart|title=Network Security Hacks: Tips & Tools for Protecting Your Privacy|url=https://books.google.com/books?id=6weH75ATpbUC&pg=PA339|year=2006|publisher="O'Reilly Media, Inc."|isbn=978-0-596-55143-8|page=339}}</ref><ref>{{cite book|author=6net|title=IPv6 Deployment Guide|url=https://books.google.com/books?id=logdYuisKWgC&pg=PA109|year=2008|publisher=Javvin Technologies Inc.|isbn=978-1-60267-005-1|page=109}}</ref> Support for [[mbed TLS]] is available starting from version 2.3.<ref>Overview of changes in OpenVPN v2.3 - [https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23 ChangesInOpenvpn23 - OpenVPN Community]</ref>

===Authentication===

OpenVPN has several ways to [[authentication|authenticate]] peers with each other. OpenVPN offers [[pre-shared key]]s, certificate-based, and username/password-based authentication. Preshared secret key is the easiest, and certificate-based is the most robust and [[feature-rich]].{{citation needed|date=April 2018}} In version 2.0 username/password authentications can be enabled, both with or without certificates. However, to make use of username/password authentications, OpenVPN depends on third-party modules.{{citation needed|date=June 2018}}

===Networking===
{{More citations needed section|date=July 2009}}
OpenVPN can run over [[User Datagram Protocol]] (UDP) or [[Transmission Control Protocol]] (TCP) transports, multiplexing created SSL tunnels on a single TCP/UDP port<ref>OpenVPN man page, section "TLS Mode Options"</ref> (RFC 3948 for UDP).<ref>{{cite book|author1=Petros Daras|author2=Oscar Mayora|title=User Centric Media: First International Conference, UCMedia 2009, Venice, Italy, December 9-11, 2009, Revised Selected Papers|url=https://books.google.com/books?id=ti8WoFmQHdoC&pg=PA239|year=2013|publisher=Springer Science & Business Media|isbn=978-3-642-12629-1|page=239}}</ref> 

From 2.3.x series on, OpenVPN fully supports IPv6 as protocol of the virtual network inside a tunnel and the OpenVPN applications can also establish connections via IPv6.<ref>[https://community.openvpn.net/openvpn/wiki/IPv6 OpenVPN community wiki], IPv6 in OpenVPN - retrieved 8 December 2013</ref>
It has the ability to work through most [[proxy servers]] (including [[HTTP]]) and is good at working through [[network address translation]] (NAT) and getting out through firewalls. The server configuration has the ability to "push" certain network configuration options to the clients. These include IP addresses, routing commands, and a few connection options. OpenVPN offers two types of interfaces for networking via the [[TUN/TAP|Universal TUN/TAP driver]]. It can create either a [[OSI model#Layer 3: Network layer|layer-3]] based IP tunnel (TUN), or a [[OSI model#Layer 2: Data link layer|layer-2]] based Ethernet TAP that can carry any type of Ethernet traffic. OpenVPN can optionally use the [[Lempel–Ziv–Oberhumer|LZO]] compression library to compress the data stream. Port 1194 is the official [[Internet Assigned Numbers Authority|IANA]] assigned port number for OpenVPN. Newer versions of the program now default to that port. A feature in the 2.0 version allows for one process to manage several simultaneous tunnels, as opposed to the original "one tunnel per process" restriction on the 1.x series.

OpenVPN's use of common network protocols (TCP and UDP) makes it a desirable alternative to [[IPsec]] in situations where an [[Internet service provider|ISP]] may block specific [[Virtual private network|VPN]] protocols in order to force users to subscribe to a higher-priced, "business grade" service tier. For example, [[Comcast]] previously declared that their @Home product was, and had always been, designated as a residential service and did not allow the use of commercial applications. Their argument was that conducting [[remote work]] via a VPN can adversely affect the network performance of their regular residential subscribers. They offered an alternative, @Home Professional, this would cost more than @Home product. So, anyone wishing to use VPN would have to subscribe to higher-priced, business-grade service tier.<ref>{{Cite web|title=OpenVPN VPN Protocol|url=https://privacyhq.com/documentation/openvpn-vpn-protocol/|access-date=2021-06-24|website=privacyhq.com|language=en}}</ref>

When OpenVPN uses [[Transmission Control Protocol]] (TCP) transports to establish a tunnel, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire.<ref>{{cite web|last=Murray|first=Mike|archive-url=https://web.archive.org/web/20210320203759/https://www.thegeekpub.com/271035/openvpn-mtu-finding-the-correct-settings|archive-date=20 March 2021|access-date=20 July 2022|title=OPENVPN MTU: Finding The Correct Settings|url=https://www.thegeekpub.com/271035/openvpn-mtu-finding-the-correct-settings|url-status=live|website=The Geek Pub|date=20 March 2021 }}</ref> If this becomes untrue, performance falls off dramatically due to the [[TCP meltdown problem]].<ref>{{cite web|url=http://sites.inka.de/bigred/devel/tcp-tcp.html|title=Why TCP Over TCP Is A Bad Idea|first=Olaf|last=Titz|date=23 April 2001|access-date=17 October 2015}}</ref><ref>{{cite conference|bibcode=2005SPIE.6011..138H|title=Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency|author1=Honda, Osamu|author2=Ohsaki, Hiroyuki|author3=Imase, Makoto|author4=Ishizuka, Mika|author5=Murayama, Junichi|s2cid=8945952|book-title=Performance, Quality of Service, and Control of Next-Generation Communication and Sensor Networks III|volume=6011|date=October 2005|doi=10.1117/12.630496|citeseerx=10.1.1.78.5815|editor1-last=Atiquzzaman|editor1-first=Mohammed|editor2-last=Balandin|editor2-first=Sergey I.}}</ref>

===Security===

OpenVPN offers various internal security features. It has up to [[256-bit]] encryption through the [[OpenSSL]] library, although some service providers may offer lower rates, effectively providing some of the fastest VPN available to consumers. OpenVPN also supports [[Forward secrecy|Perfect Forward Secrecy (PFS)]], which regenerates encryption keys at set intervals, ensuring that even if one key is compromised, previous and future data remains secure. Additionally, OpenVPN can be configured with various encryption ciphers, such as ChaCha20 and AES-256.<ref>{{Cite web |date=2023-11-29 |title=OpenVPN explained: Definition, how it works, and safety {{!}} NordVPN |url=https://nordvpn.com/de/blog/what-is-openvpn/ |access-date=2024-09-10 |website=nordvpn.com |language=de}}</ref> It runs in [[userspace]] instead of requiring IP stack (therefore kernel) operation. OpenVPN has the ability to [[Privilege separation|drop root privileges]], use [http://www.opengroup.org/onlinepubs/009695399/functions/mlockall.html mlockall] to prevent swapping sensitive data to disk, enter a [[chroot|chroot jail]] after initialization, and apply a [[Selinux|SELinux]] context after initialization.

OpenVPN runs a custom security protocol based on SSL and TLS,<ref name=openvpn-protocol /> rather than supporting IKE, IPsec, L2TP or [[Point-to-Point Tunneling Protocol|PPTP]].

OpenVPN offers support of [[smart card]]s via [[PKCS11|PKCS#11]]-based cryptographic tokens.

===Extensibility===

OpenVPN can be extended with third-party [[plug-in (computing)|plug-ins]] or scripts, which can be called at defined entry points.<ref>{{cite web|url=http://openvpn.net/index.php/open-source/documentation/manuals/427-openvpn-22.html#lbAQ|title=OpenVPN script entry points|publisher=Openvpn.net|access-date=30 July 2012}}</ref><ref>[https://web.archive.org/web/20110728041758/http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn%2Fopenvpn.git%3Ba%3Dblob%3Bf%3Dopenvpn-plugin.h%3Bhb%3DHEAD OpenVPN plug-in entry points for C based modules].</ref> The purpose of this is often to extend OpenVPN with more advanced logging, enhanced authentication with username and passwords, dynamic firewall updates, [[RADIUS]] integration and so on. The plug-ins are dynamically loadable modules, usually written in [[C (programming language)|C]], while the scripts interface can execute any scripts or binaries available to OpenVPN. In the OpenVPN source code<ref>{{cite web|url=http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn.git;a=tree;h=HEAD|title=OpenVPN example plug-ins|publisher=Openvpn.git.sourceforge.net|access-date=30 July 2012}}</ref> there are some examples of such plug-ins, including a [[Pluggable authentication module|PAM]] authentication plug-in. Several third-party plug-ins also exist to authenticate against [[Lightweight Directory Access Protocol|LDAP]] or SQL databases such as [[SQLite]] and [[MySQL]].<ref>[https://community.openvpn.net/openvpn/wiki/RelatedProjects OpenVPN Community Wiki - Related Projects]</ref>

===Header===

{|class=wikitable style="margin:0 auto;text-align:center"
|+OpenVPN header format
|-
! ''Offsets''
![[Octet (computing)|Octet]]
!colspan=8|0
!colspan=8|1
!colspan=8|2
!colspan=8|3
|-
![[Octet (computing)|Octet]]
![[Bit]]
!style=width:2.6%|0
!style=width:2.6%|1
!style=width:2.6%|2
!style=width:2.6%|3
!style=width:2.6%|4
!style=width:2.6%|5
!style=width:2.6%|6
!style=width:2.6%|7
!style=width:2.6%|8
!style=width:2.6%|9
!style=width:2.6%|10
!style=width:2.6%|11
!style=width:2.6%|12
!style=width:2.6%|13
!style=width:2.6%|14
!style=width:2.6%|15
!style=width:2.6%|16
!style=width:2.6%|17
!style=width:2.6%|18
!style=width:2.6%|19
!style=width:2.6%|20
!style=width:2.6%|21
!style=width:2.6%|22
!style=width:2.6%|23
!style=width:2.6%|24
!style=width:2.6%|25
!style=width:2.6%|26
!style=width:2.6%|27
!style=width:2.6%|28
!style=width:2.6%|29
!style=width:2.6%|30
!style=width:2.6%|31
|-
!0
!0
|colspan=5|Opcode
|colspan=3|KeyID
|colspan=24|Session ID
|-
!4
!32
|colspan=32|Session ID
|-
!8
!64
|colspan=8|Session ID
|colspan=24|HMAC
|-
!12
!96
|colspan=32 rowspan=3|HMAC
|-
!⋮
!⋮
|-
!24
!192
|-
!28
!224
|colspan=8|HMAC
|colspan=24|Packet ID
|-
!32
!256
|colspan=8|Packet ID
|colspan=24|Net Time
|-
!36
!288
|colspan=8|Net Time
|colspan=8|Msg Array Len
|colspan=16|Message Packet ID #
|-
!⋮
!⋮
|}

==Platforms==

It is available on [[Solaris (operating system)|Solaris]], [[Linux]], [[OpenBSD]], [[FreeBSD]], [[NetBSD]], [[QNX]], [[macOS]] and [[comparison of Microsoft Windows versions|Windows XP and later]].<ref>{{cite web|title=Downloads|url=https://openvpn.net/index.php/open-source/downloads.html|website=openvpn.net|publisher=OpenVPN|access-date=6 August 2015}}</ref> OpenVPN is available for [[mobile operating system]]s including [[Maemo]],<ref>{{cite web|url=http://maemo.org/downloads/product/Maemo5/openvpn/|title=OpenVPN Maemo package|publisher=Maemo.org|access-date=30 July 2012}}</ref> [[Windows Mobile]] 6.5 and below,<ref>{{cite web|url=http://ovpnppc.ziggurat29.com/ovpnppc-main.htm|title=OpenVPN for PocketPC|publisher=Ovpnppc.ziggurat29.com|date=1 April 2007|access-date=30 July 2012}}</ref> [[iOS]] 3GS+ devices,<ref>{{cite web|url=https://apps.apple.com/us/app/openvpn-connect/id590379981|title=OpenVPN Connect|publisher=OpenVPN Technologies|date=16 January 2013|access-date=16 January 2013}}</ref> [[IOS jailbreaking|jailbroken]] [[iOS]] 3.1.2+ devices,<ref>{{cite web|url=http://guizmovpn.com|title=GuizmOVPN - OpenVPN GUI for iPhone/iPad|publisher=guizmovpn.com|date=30 September 2007|access-date=30 September 2012}}</ref> [[Android (operating system)|Android]] 4.0+ devices, and Android devices that have had the [[Cyanogenmod]] aftermarket firmware flashed<ref>{{cite web|url=https://github.com/CyanogenMod/android_vendor_cyanogen/blob/eclair/CHANGELOG|title=CHANGELOG at eclair from CyanogenMod's android_vendor_cyanogen|date=7 July 2010|work=[[GitHub]]|publisher=cyanogen|access-date=28 October 2010}} [https://github.com/cyanogen/android_vendor_cyanogen/blob/eclair/CHANGELOG Nexus One Cyanogenmod changelog]</ref> or have the correct kernel module installed.<ref>{{cite web|url=http://ww43.vpnblog.info/android-openvpn-strongvpn.html|archive-url=https://web.archive.org/web/20110526083443/https://vpnblog.info/android-openvpn-strongvpn.html|title=How to setup and configure OpenVPN on Android rooted device &#124; VPN blog is actual information about VPN|website=Vpnblog.info|archive-date=26 May 2011|url-status=dead}}</ref> It is not compatible with some mobile phone OSes, including [[Palm OS]]. It is not a "web-based" VPN shown as a web page such as [[Citrix]] or [[Remote Desktop Services|Terminal Services Web access]]; the program is installed independently and configured by editing text files manually, rather than through a GUI-based wizard. OpenVPN is not compatible with VPN clients that use the [[IPsec]] over [[L2TP]] or [[PPTP]] protocols. The entire package consists of one [[Binary file|binary]] for both [[Client (computing)|client]] and [[server (computing)|server]] connections, an optional [[configuration file]], and one or more key files depending on the authentication method used.

===Firmware implementations===

OpenVPN has been integrated into several [[Router (computing)|router]] firmware packages allowing users to run OpenVPN in client or server mode from their network routers. A router running OpenVPN in client mode, for example, allows any device on a network to access a VPN without needing the capability to install OpenVPN.

Notable firmware packages with OpenVPN integration include:

{|class=wikitable
|+Notable firmware packages with OpenVPN integration
!Firmware package!!Cost!!Developer!!References
|-
|[[DD-WRT]]||Free||NewMedia-NET GmbH||<ref>dd-wrt.com - [https://wiki.dd-wrt.com/wiki/index.php/OpenVPN OpenVPN]</ref>
|-
|[[Gargoyle (router firmware)|Gargoyle]]||Free||Eric Bishop||<ref>[https://www.gargoyle-router.com/wiki/doku.php?id=openvpn&s Gargoyle Wiki - OpenVPN]</ref>
|-
|[[OpenWrt]]||Free||Community driven development||<ref>{{cite web|url=https://openwrt.org/docs/guide-user/services/vpn/openvpn/start|title=OpenVPN - OpenWrt Wiki|publisher=openwrt.org|access-date=2018-06-11}}</ref>
|-
|[[OPNsense]]||Free||Deciso BV||<ref>{{cite web|url=https://opnsense.org/opnsense-17-1-released/|title=opnsense.org - OPNsense 17.1 Release Announcement}}</ref>
|-
|[[pfSense]]||Free||Rubicon Communications, LLC (Netgate)||
|-
|[[Tomato (firmware)|Tomato]]||Free||Keith Moyer||<ref>{{cite web|url=http://tomatovpn.keithmoyer.com|title=TomatoVPN|publisher=Tomatovpn.keithmoyer.com|access-date=30 July 2012}}</ref><ref>LinksysInfo.org – [http://www.linksysinfo.org/forums/showthread.php?t=59416 VPN build with Web GUI]</ref>
|-
|}

OpenVPN has also been implemented in some manufacturer router firmware.

===Software implementations===

OpenVPN has been integrated into [[SoftEther VPN]], an open-source multi-protocol VPN server, to allow users to connect to the VPN server from existing OpenVPN clients.

OpenVPN is also integrated into [[VyOS|Vyos]], an open-source routing [[operating system]] forked from the [[Vyatta]] software router.

==Licensing==

OpenVPN is available in two versions:

*OpenVPN Community Edition, which is a free and open-source version
*OpenVPN Access Server (OpenVPN-AS) is based on the Community Edition, but provides additional paid and proprietary features like LDAP integration, SMB server, Web UI management and provides a set of installation and configuration tools that are reported to simplify the rapid deployment of a VPN remote-access solution.<ref name="editions">{{cite web|url=https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/225-compare-openvpn-community-and-enterprise-editions.html|title=OpenVPN Product Comparison|access-date=2017-01-15}}</ref><ref name="accessServerDesc">{{cite web|url=https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/133-what-is-openvpn-access-server.html|title=What is OpenVPN Access Server (OpenVPN-AS)?|access-date=2017-01-15}}</ref> The Access Server edition relies heavily on [[iptables]] for [[load balancing (computing)|load balancing]] and it has never been available on Windows for this reason. This version is also able to dynamically create client ("OpenVPN Connect") installers, which include a client profile for connecting to a particular Access Server instance.<ref name="accessServerDetails">{{cite web|url=https://github.com/wget/chocolatey_package_openvpn/issues/2#issuecomment-272799486|title=Regarding chocolatey.org repository · Issue #2 · wget/chocolatey_package_openvpn|website=[[GitHub]] |date=2017-01-16|access-date=2017-01-16}}</ref> However, the user does not need to have an Access Server client in order to connect to the Access Server instance; the client from the OpenVPN Community Edition can be used.<ref name="asCommunityClient">{{cite web|url=https://openvpn.net/index.php/access-server/section-faq-openvpn-as/client-configuration/140-can-i-use-open-source-openvpn-client-gui-to-connect-to-the-access-server.html|title=Can I use a community OpenVPN client to connect to the Access Server?|access-date=2017-01-16}}</ref>

==See also==
{{Portal|Free and open-source software}}

*[[OpenConnect]]
*[[OpenSSH]]
*[[Secure Socket Tunneling Protocol|Secure Socket Tunneling Protocol (SSTP)]]
*[[stunnel]]
*[[Tunnelblick]]
*[[WireGuard]]

==References==
{{Reflist}}

==External links==

*{{official}}
*[https://community.openvpn.net Community website]
*{{cite web|url=https://archive.org/details/HantsLUG_openvpn|title=OpenVPN presentation and demonstration|publisher=Hampshire Linux User Group|website=Archive|date=2 February 2008|first=Adrian|last=Bridgett}} [http://hantslug.org.uk/wiki/TechTalks Tech Talks]

{{VPN}}

[[Category:2001 software]]
[[Category:Free security software]]
[[Category:Tunneling protocols]]
[[Category:Unix network-related software]]
[[Category:Virtual private networks]]
[[Category:Free software programmed in C]]