OpenVPN is an open-source software application that implements virtual private n

etwork (VPN) techniques for creating secure point-to-point or site-to-site conne

ctions in routed or bridged configurations and remote access facilities. It uses
a custom security protocol[9] that utilizes SSL/TLS for key exchange. It is cap
able of traversing network address translators (NATs) and firewalls. It was writ
ten by James Yonan and is published under the GNU General Public License (GPL).[
10]
OpenVPN allows peers to authenticate each other using a pre-shared secret key, c
ertificates, or username/password. When used in a multiclient-server configurati
on, it allows the server to release an authentication certificate for every clie
nt, using signature and Certificate authority. It uses the OpenSSL encryption li
brary extensively, as well as the SSLv3/TLSv1 protocol, and contains many securi
ty and control features.
OpenVPN has been ported and embedded to several systems. For example, DD-WRT has
the OpenVPN server function. SoftEther VPN, a multi-protocol VPN server, has an
implementation of OpenVPN protocol.
Contents [hide]
1
Architecture
1.1
Encryption
1.2
Authentication
1.3
Networking
1.4
Security
1.5
Extensibility
2
Platforms
2.1
Firmware implementations
2.2
Software implementations
3
Community
4
See also
5
References
6
External links
Architecture[edit]
Encryption[edit]
OpenVPN uses the OpenSSL library to provide encryption of both the data and cont
rol channels. It lets OpenSSL do all the encryption and authentication work, all
owing OpenVPN to use all the ciphers available in the OpenSSL package. It can al
so use the HMAC packet authentication feature to add an additional layer of secu
rity to the connection (referred to as an "HMAC Firewall" by the creator). It ca
n also use hardware acceleration to get better encryption performance.[11][12] S
upport for mbed TLS is available starting from version 2.3.[13]
Authentication[edit]
OpenVPN has several ways to authenticate peers with each other. OpenVPN offers p
re-shared keys, certificate-based, and username/password-based authentication. P
reshared secret key is the easiest, with certificate based being the most robust
and feature-rich. In version 2.0 username/password authentications can be enabl
ed, both with or without certificates. However to make use of username/password
authentications, OpenVPN depends on third-party modules. See the Extensibility p
aragraph for more info.
Networking[edit]
This section needs additional citations for verification. Please help improve th
is article by adding citations to reliable sources. Unsourced material may be ch
allenged and removed. (July 2009) (Learn how and when to remove this template me
ssage)
OpenVPN can run over User Datagram Protocol (UDP) or Transmission Control Protoc
ol (TCP) transports, multiplexing created SSL tunnels on a single TCP/UDP port[1
4] (RFC 3948 for UDP).[15] From 2.3.x series on, OpenVPN fully supports IPv6 as
protocol of the virtual network inside a tunnel and the OpenVPN applications can
also establish connections via IPv6.[16] It has the ability to work through mos
t proxy servers (including HTTP) and is good at working through Network address
translation (NAT) and getting out through firewalls. The server configuration ha

s the ability to "push" certain network configuration options to the clients. Th

ese include IP addresses, routing commands, and a few connection options. OpenVP
N offers two types of interfaces for networking via the Universal TUN/TAP driver
. It can create either a layer-3 based IP tunnel (TUN), or a layer-2 based Ether
net TAP that can carry any type of Ethernet traffic. OpenVPN can optionally use
the LZO compression library to compress the data stream. Port 1194 is the offici
al IANA assigned port number for OpenVPN. Newer versions of the program now defa
ult to that port. A feature in the 2.0 version allows for one process to manage
several simultaneous tunnels, as opposed to the original "one tunnel per process
" restriction on the 1.x series.
OpenVPN's use of common network protocols (TCP and UDP) makes it a desirable alt
ernative to IPsec in situations where an ISP may block specific VPN protocols in
order to force users to subscribe to a higher-priced, "business grade," service
tier.[example needed]
When OpenVPN uses Transmission Control Protocol (TCP) transports to establish a
tunnel, performance will be acceptable only as long as there is sufficient exces
s bandwidth on the un-tunneled network link to guarantee that the tunneled TCP t
imers do not expire. If this becomes untrue, performance falls off dramatically.
This is known as the "TCP meltdown problem"[17][18]
Security[edit]
OpenVPN offers several internal security features. It has up to 256-bit Encrypti
on through OpenSSL library although some service providers may offer lower rates
effectively making the connection faster.[19] It runs in userspace, instead of
requiring IP stack (and therefore kernel) operation. OpenVPN has the ability to
drop root privileges, use mlockall to prevent swapping sensitive data to disk, e
nter a chroot jail after initialization and apply a SELinux context after initia
lization.
OpenVPN runs a custom security protocol based on SSL and TLS[9] rather than supp
ort IKE, IPsec, L2TP or PPTP. OpenVPN offers support of smart cards via PKCS#11
based cryptographic tokens.
Extensibility[edit]
OpenVPN can be extended with third-party plug-ins or scripts which can be called
at defined entry points.[20][21] The purpose of this is often to extend OpenVPN
with more advanced logging, enhanced authentication with username and passwords
, dynamic firewall updates, RADIUS integration and so on. The plug-ins are dynam
ically loadable modules, usually written in C, while the scripts interface can e
xecute any scripts or binaries available to OpenVPN. In the OpenVPN source code[
22] there are some examples of such plug-ins, including a PAM authentication plu
g-in. Several third party plug-ins also exist to authenticate against LDAP or SQ
L databases such as SQLite and MySQL. There is an overview over many of these ex
tensions in the related project wiki page for the OpenVPN community.
Platforms[edit]
It is available on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX, Mac OS X, and
Windows XP and later.[23] OpenVPN is available for mobile phone operating system
s (OS) including Maemo,[24] Windows Mobile 6.5 and below,[25] iOS 3GS+ devices,[
26] jailbroken iOS 3.1.2+ devices,[27] Android 4.0+ devices, and Android devices
that have had the Cyanogenmod aftermarket firmware flashed[28] or have the corr
ect kernel module installed.[29] It is not compatible with some mobile phone OSe
s, including Palm OS. It is not a "web-based" VPN shown as a web page such as Ci
trix or Terminal Services Web access; the program is installed independently and
configured by editing text files manually, rather than through a GUI-based wiza
rd. OpenVPN is not compatible with VPN clients that use the IPsec over L2TP or P
PTP protocols. The entire package consists of one binary for both client and ser
ver connections, an optional configuration file, and one or more key files depen
ding on the authentication method used.
Firmware implementations[edit]
OpenVPN has been integrated into router firmware packages such as Vyatta, pfSens
e, DD-WRT,[30] OpenWrt[31] and Tomato,[32][33] allowing users to run OpenVPN in
client or server mode from their network routers. A router running OpenVPN in cl
ient mode, for example, allows any computer on a network to access a VPN without

the need to install OpenVPN. Web sites such as MyOpenRouter (dedicated to Netge
ar routers) discuss new hardware and firmware developments, with much discussion
of OpenVPN, active as of December 2015.