11 reasons why OpenVPN should replace your VPN client

Sign up for one of the best VPNs and it usually makes sense to use your provider's client software. Usually you can download these programs straight from your VPN provider’s website or your mobile device app store. They should work right away, with no setup hassles, and you'll get easy access to any bonus features the service offers: encrypted DNS, ad blocking, split tunnelling, or whatever’s on offer. 

But what if your VPN doesn't have any bonus features, or its clients are so feeble and underpowered that they can't deliver the features you need?

OpenVPN could be the answer. It's an ultra-configurable open source VPN client which works with just about any VPN provider that supports the OpenVPN protocol.

It gives you new ways to automate, optimize, control and troubleshoot your connections, and you can use it alongside your existing client, or maybe replace it entirely – it's your call. The package won't be for everyone, but experienced VPN users in particular could have a lot to gain. 

Because you’re using a VPN company’s servers, you are relying on them to respect your privacy and anonymity - and that means they shouldn’t log your activity. One way a dishonest provider could do this is to program the ‘client’ software on your machine to gather information about your online and offline activities and send it to them. This may sound unlikely but it has happened before - 

Sometimes this was because of a flaw in the code the VPN provider missed that could be exploited or because the developer had bad intentions, so deliberately coded their app to contain malware. Google has also made it clear to developers of  mobile VPN apps on the Google Play Store that they need to display targeted ads, no matter what that means for user privacy. 

Luckily, there’s an alternative. 

1. It's smaller and simpler

OpenVPN doesn't have a flashy interface, and it can't display all your locations on a global map, but its simpler approach to VPN management still has a lot of appeal.

You can connect to any location by right-clicking the system tray icon and selecting your server from a list. There's no need to open a separate VPN console and poke around various windows and tabs – OpenVPN gets you connected in a couple of clicks.

A standard Windows desktop notification lets you know when the VPN is active. OpenVPN's system tray icon changes color, allowing you to check system status at a glance. If you need more, hovering your mouse over the icon displays a tooltip with the server name and your new IP address.

What's more, if you can live with OpenVPN's stripped-back approach, you won't waste system resources by having a regular VPN client permanently running in the background. Although average client RAM use is typically low, we've seen some clients peak at 250MB or more, so any savings on the memory front are well worth having.

2. It's open source

Besides being very lightweight on download time and system resources, OpenVPN is open source. In other words, the source code used to compile the program is freely available online.

This means skilled coders and security experts can review the code to make sure there are no undetected bugs. This is also a good way to make sure there aren’t any ‘backdoors’ coded in, which allow unauthorised people access to your device, like the one that was discovered in Zyxel’s VPN software in 2021.

Another advantage of open source software is that if your chosen VPN provider goes out of business, you can continue using the OpenVPN client. As long as there’s a demand for it, the code will be maintained by the community.

This is especially important if you’re using a free VPN, as their business model is less sustainable than a reliable, paid service.  

3. You get full control of the server list 

Most VPN clients display locations in fixed lists which you can't alter or reorganize in any way. That soon becomes annoying if, say, you're forever scrolling through 30 servers to find the only three you ever use.

OpenVPN is much more configurable. Instead of a defined list of servers, for example, you're able to add whatever servers you need. If you only ever connect to four locations, then you can add those and ignore everything else.

The list is sorted alphabetically, but if that's an issue, you're able to edit the server name to order it however you like: by city, country, continent, or some more arbitrary scheme, whatever works for you.

Naturally this means you will have to download the configuration (.ovpn) files for each server to which you want to connect. Still, some VPN Providers make life easier for you by offering all .ovpn configuration files for their servers available in a single download e.g. in ZIP format.

4. Settings apply per connection 

The average VPN client gives you a list of connections, and some settings which apply to them all. This approach might seem reasonable, at first, but it can cause major issues in some situations.

Suppose you're having problems with a specific long-distance connection. The provider tells you to go into Settings and change protocol from speedy UDP to the slower but more reliable TCP. This might improve results with your target server, but the new TCP setting will also apply to every other location, reducing performance all round.

OpenVPN uses a separate .ovpn settings file for every single connection. You can set up some servers to use UDP, others TCP, or even offer both options in the server list ('London - UDP', 'London - TCP'). Each connection can use whatever settings it needs to work best.

The OpenVPN website has a page dedicated to creating your own .ovpn files along with some sample configurations to get you started. 

Once you're happy with a connection setup, you can import the settings file into an OpenVPN installation on another device, or share it with other OpenVPN users. They'll be able to add it to their connection lists, and use it right away. 

This is extremely efficient if you want to connect multiple workstations on your network to the VPN, as otherwise you’d have to manually configure the connection on each one. 

5. Use fall-back connections 

A VPN won't always connect to the server you need, particularly if it's far away or under heavy load. Normally this leaves you with only two options: try the connection again, or manually select something else.

OpenVPN can help with its connection profiles – groups of settings which give the program several ways to connect to a server.

A profile might start by trying the regular UDP connection you'd ideally like to use. But this could then revert to a TCP connection, then something specifying another server, then adding a few other troubleshooting tweaks…

Point OpenVPN at the profile and it will try each one sequentially until it manages a successful connection. You won't need to keep hitting Connect anymore, because the program should be able to deal with most errors all on its own.

6. Access multiple VPNs from one app

Your favorite VPN might not always do everything you need, and sometimes it can make sense to install other services for specific tasks: here's one with a country you require, another that unblocks Netflix, maybe a free VPN as a backup, whatever makes sense.

The problem with this strategy is you'll need to access these services via their own individual clients, and maybe even have them all running permanently in the background. This will not only slow down your system but the clients might interfere with each other’s operations, particularly if they’re all trying to connect at the same time. 

As long as your installed VPNs all support OpenVPN, there's a good chance you can import the connections you'll use from each individual VPN, then combine and launch them all from a single menu. As you’re using just one app, there’s no danger of them interfering with each other as OpenVPN will disconnect from one VPN before connecting to another.

Renaming your connections to include the provider will help remind you what's going on: 'ExpressVPN - London', 'IPVanish - New York', 'VyprVPN - Netherlands', whatever they might be.

The end result could save you a lot of time, and free up resources by reducing the need to have other VPN clients installed.

7. Troubleshoot problems with logs

VPN connections don't always run smoothly (you've probably noticed). Some servers seem to be offline most of the time, or maybe you're seeing connections drop. Understanding what's going on can be difficult, especially if your VPN client hides the details away to avoid scaring less technical users.

OpenVPN  Connect is much more upfront about its operations. A log window displays what's happening as you're connecting to the server, and you can display the connection log at any time in a couple of clicks.

One benefit of viewing the logs is that you're able to see how a connection has been set up. Take a look at these two lines:

Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

You don't need any OpenVPN expertise to recognize the reference to 256-bit AES encryption, and the logs include many other details on what your VPN is doing.

Better still, if you have problems later, the logs will give you a clear idea of the connection state, and might include errors or status messages giving you some clue about the cause. 

Even if the error logs are meaningless gibberish to you, you can still copy and paste them into e-mails to your VPN provider or a tech support advisor in order to do some troubleshooting.

8. Run useful scripts 

One of OpenVPN's most valuable features is the ability to run custom scripts when your VPN connection state changes.

You could use scripts to manage your applications, perhaps automatically launching a torrent program when you first get connected, and forcibly closing it if the connection drops.

If some of your applications don't work as they should under a VPN - maybe you're not able to send emails – you might be able to use scripts to reconfigure them, or just close the app while the VPN is running and restart it when you disconnect.

Experienced users may be able to use scripts to solve VPN issues. Are you having problems with the DNS cache, for instance? If you’re a Windows user, you can get OpenVPN to run the following command when you connect or disconnect, and hopefully all will be well:

ipconfig /flushdns

OpenVPN for macOS also supports commands to clear your DNS cache and other scripts. If you’re a Linux user, you can also get scripts working but need to make some extra changes to the way OpenVPN operates by following the necessary steps in the user manual.

Some other potential uses for scripts include:

  • Opening a certain web page once you’re connected such as https://ipleak.net/ to double check the VPN service is working correctly
  • Open a network drive or folder, such as your Google Drive
  • Display information about your VPN connection e.g. the protocol, connection speed, and so on 
  • Run a program such as CCleaner to remove temporary internet files from the last time you used the internet.  

Whatever your issue happens to be, the ability to run scripts will often give you a way to address it, or at least automate some kind of workaround.

9. Advanced connection tweaks 

VPN providers often boast about their clients being "easy to use", but that's usually code for "incredibly basic with almost no features". We said earlier that OpenVPN is simple but that’s not the same thing as being basic. 

Networking experts who switch to OpenVPN can get far more detailed and low-level control over their VPN connection.

This starts with the fundamentals – protocols, ports, retry rules – although even here, there's more depth and power than you might expect. (IPv6 support, for instance? No problem).

You get all kinds of options for setting and configuring network routes, and defining exactly which traffic you'd like to be redirected through the VPN.

There's support for setting and adjusting your MTU, TCP send and receive buttons, which could deliver significant performance gains in some situations. If that sounds too much like hard work, no problem: OpenVPN can even run tests to figure out the best MTU value to use, which you can then input yourself. 

Other commands can help you detect connection failures, maybe close the VPN if the tunnel isn't being used, or even limit VPN speeds to ensure tunnel traffic doesn't grab all your bandwidth. This isn't always easy to set up, and networking expertise is definitely required, but if that's not an issue, using OpenVPN gives you all kinds of extra possibilities.

10. The Kill Switch 

Many modern VPN’s incorporate a VPN kill switch into their client side software. In simplest terms this means if your VPN connection drops out for any reason (or fails to connect in the first place), the app will block all network activity until your VPN service is running again. 

This is important, as otherwise you could connect to the internet in the belief your connection’s protected when in fact anyone with access to your ISP’s records can view which websites you’re visiting and what you’re downloading. 

While, as we said, many VPN clients do offer this as standard, others either don’t include a kill switch with their software or claim they do, when in fact their client actually doesn’t have the feature for every platform.

Fortunately the OpenVPN App has its own built-in kill switch. This will prevent your sensitive personal data from leaking but does mean that when you first boot your device, none of your apps will be able to connect to the internet until the VPN connection is established. 

Luckily, if you’re using a Mac or Windows 10/11 you can configure OpenVPN to automatically connect to your chosen VPN server.

11. Radical routers

Besides the OpenVPN client, the OpenVPN team also offer their “OpenVPN Cloud” service which allows you to install OpenVPN software on a compatible router, such as one running the open source router firmware DD-WRT.

This can be done by downloading pre-generated cloud ‘profiles’ for your router, or via a dedicated connector app if your router supports it. OpenVPN Cloud also includes extra features that the Connect client doesn't, such as “Cyber Shield”, which can automatically screen out harmful content, free of charge. 

The main reason to do this is if set up correctly, the OpenVPNion would be maintained by your router. This means any devices connected to it would automatically use the VPN service, without needing to install any extra ‘client’ software.

Provided you’re using open source router firmware like DD-WRT, this is also much safer for network users, as you don’t have to rely on closed source proprietary software which may contain security flaws. 

If you’re considering doing this, remember that even with the best VPN routers, you’ll need to check that they support the OpenVPN protocol specifically. If you’re unsure, find a router which has either the DD-WRT or OpenWRT firmware installed, as these both definitely support OpenVPNions.  

Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.

With contributions from