What is OpenVPN?

The OpenVPN Project logo
(Image credit: OpenVPN)

If you’re focused on protecting your online privacy, you’re likely already using a VPN. The best VPNs (and trusted free VPNs) securely encrypt your web traffic and keep it safe from hackers.

The key element of every VPN connection is its VPN protocol - a set of rules that defines everything from how the app securely connects to the VPN server to data transfer methods and how to close the session when you're finished.

Most VPNs support several protocols - WireGuard, IKEv2, L2TP, SSTP and more - but OpenVPN is far and away the most popular. But what is OpenVPN, is it better than the competition, and what next for the popular protocol?  

How OpenVPN started

In 2001, developer James Yonan was traveling through Central Asia when he needed to remotely connect to his business network. Forced to make unencrypted connections via servers in countries with very shady security practices, Yonan realized how vulnerable his data was. His solution was to create an open-source project to encrypt data and protect it from snoopers. The developer originally intended this to be a side project. He had no idea that he’d invented what was to change the face of encrypted communications for years to come. 

Francis Dinha was born and raised in Iraq, during the reign of Saddam Hussein. Growing up in a world where expressing anti-government views could result in punishment, jail time, even execution, Dinha learned some harsh lessons about the true value of personal privacy. 

After fleeing Iraq, applying for asylum in Sweden, then later arriving in the US, Dinha heard about Yonan's creation and realized the possibilities. The two men talked, and came up with a business plan. In 2001, they founded OpenVPN, and in 2002, the OpenVPN protocol saw its first public release. 

VPN illustration

(Image credit: Getty Images)

OpenVPN encryption

OpenVPN provides a means of connecting computers together in a Virtual Private Network. That is, even if the computers are remote from each other, in another office, another country, the other side of the world, it can safely connect the systems together via a secure encrypted tunnel.

OpenVPN can create its VPN tunnel using either Transmission Control Protocol (TCP) for maximum reliability, or User Datagram Protocol (UDP) for raw speed, a flexibility that beats some competing protocols, even today.

Communications are managed by Secure Sockets Layer/ Transport Layer Security (SSL/TLS). This is the same technology used to protect data transmitted to and from HTTPS websites. That's an advantage if you need OpenVPN to bypass a firewall or some other VPN block, as once it's set up, it's tricky to tell that you're using a VPN. Your online activity just looks like regular HTTPS web traffic.

OpenVPN benefits from many SSL/TLS features, such as allowing it to confirm you're connecting to a legitimate server, create and share new encryption keys to protect your data for this session, and verify your data hasn't been altered.

Properly implementing modern web encryption is a huge task, and fortunately OpenVPN doesn't try, instead handing off most encryption tasks to the very comprehensive OpenSSL library. 

That's good news, as OpenSSL is a capable product widely used by many web servers to manage their HTTPS connections. But OpenVPN also uses it to support just about every encryption algorithm, hash function or public-key cryptography technology around. That includes AES, Chacha20, Poly1305, Triple DES, SM4, MD5, SHA-2, SHA-3, BLAKE2, Whirlpool, RSA, Diffie-Hellman, Elliptic curve, and more. 

Flexible configurations 

One of the major advantages of OpenVPN is its flexible and configurable design, which gives VPN providers (and, sometimes, users) a huge amount of control over how the service works.

Providers can easily switch OpenVPN encryption algorithms, optimizing the VPN for security or speed. OpenVPN supports changing network settings, for instance asking your device to use another DNS server. And it supports all the network standards you need. Need IPv6, as well as IPv4 support? OpenVPN can be set up to handle that and get you connected in most situations.

OpenVPN connections are set up by configuration files that accept many different commands, giving you all kinds of ways to deal with tricky situations. 

Let’s say you can't connect because a server is down. OpenVPN supports setting a custom timeout before it gives up the attempt, so you could wait a long time for servers you know are slow or just a few seconds for others. It can set the number of times to retry, and a number of seconds to wait between retries. It can change low-level network settings, maybe helping you get connected on busy networks or over poor-quality connections. It's even possible to specify how many servers you could use, each with their own preferred connection settings. OpenVPN will try all these until it finds one that works.

These configuration files are extremely easy to read and edit as they’re nothing more than text files with their own extension (.ovpn). Many VPN providers make it easy for customers to connect via OpenVPN by offering pre-made configuration files on their websites.  

However, it’s worth noting that these features won't typically be available from a mobile VPN app unless it's written to support them. So; don't be surprised if you see nothing like that from your own provider, even if they’re supported by OpenVPN.

Even if the built-in OpenVPN features aren't enough, that's not the end of the story. The protocol can be extended with plugins, scripts and more, giving all kinds of other customization possibilities.

One popular plugin is ‘auth-pam’. PAM stands for “Pluggable Authentication” module. This allows you to increase OpenVPNs security for instance, by requiring authentication by both a password and a special ‘X.509’ public key certificate.

You can also use plugins to increase an OpenVPN server’s security using two-factor authentication with Duo or LastPass. This flexibility underpins why OpenVPN is such a popular protocol, letting users customize it to meet the specific needs of each VPN platform.  

Open-source advantage 

The open-source nature of OpenVPN is another big advantage. Anyone can download the source code, check it for problems, add new features, or use it to create their own products.

That's helped expand OpenVPN to run on just about every platform, from VPNs for Windows to Mac, Android VPNs, and almost every flavor of Linux. 

While iOS doesn’t natively support connections to OpenVPN servers, you can use a third-party app like OpenVPN connect to do this. If you have an iPhone, iPad or other iOS device, see our guide How to setup and use OpenVPN Connect.  

Other related open-source projects have grown up around the protocol. For instancel. The client software for AirVPN, known as Eddie, is a powerful OpenVPN app with more features than most of the competition, but it's free, open-source and you're permitted to download and use it with any OpenVPN-compatible service, not just AirVPN.

All this activity has produced a large community of developers who work on the project, squash bugs and security vulnerabilities, and collaborate on fresh ideas for the protocol. There's no guarantee OpenVPN won't have problems, but with more people inspecting the code, it's likely any issues will be caught early.

The transparency of an open-source project is great for trust, too. Top providers like ExpressVPN are embracing this spirit - the company made the code for its Lightway protocol open-source. Most VPNs protocols, though, aren't open source, and when a provider tells you how great their offering is, you just have to take their word for it. 

With OpenVPN, there's no way anyone could get away with making unrealistic claims or promises, because there are thousands of experts out there regularly developing and reviewing the source code. 

Padlock in front of world map to represent cybersecurity

(Image credit: Shutterstock.com / Askobol)

Client software 

It’s not just the OpenVPN server software that’s free and open-source. So is the client software that you install on your device to connect to an OpenVPN server. One of the most popular implementations is OpenVPN Connect, which can easily be set up on most platforms. The advantage of using an open-source client instead of your VPN provider’s client software is that it’s much easier to verify any claims. 

For instance, if your VPN provider says their proprietary, closed-source client secures connections with the fast and powerful ChaCha20 stream cipher rather than the slightly less secure AES-256-GCM, you simply have to accept the claim. By using open-source software like OpenVPN Connect and the easy-to-read .ovpn configuration files you can check exactly how your connection is authenticated and encrypted for yourself. 

Naturally this works both ways: if your VPN client software has a special feature offered by that particular provider, such as Meshnet from NordVPN, then this won’t be included in the software. 

That said, like most modern proprietary VPN clients, the OpenVPN Connect client does now include a VPN kill switch. This means if your connection to the VPN server fails or drops out for any reason, all network activity is stopped until your device is linked with the VPN again. This protects your IP address and personal data. 

If a particular device isn’t compatible with OpenVPN Connect, consider installing the client on a compatible, secure router. If your router’s running the Linux firewall pfSense or the open-source firmware OpenWRT or DD-WRT, you can configure it to connect to an OpenVPN-compatible server. After you do this, any devices you connect to the router in turn will also be connected to the VPN. 

If you want to change your router’s firmware, you’ll need to make sure you have a compatible model. For more information, see our guide Enhance your router with OpenWRT

OpenVPN disadvantages  

Using the OpenSSL library was the right decision when OpenVPN was originally developed, as it’s always wise to use a tried and trusted SSL library rather than try to develop and maintain your own.

Unfortunately, some vulnerabilities have been discovered in OpenSSL in recent years. One of the biggest of these was Heartbleed. When an attacker passed certain data OpenSSL extensions, they could read up to 64kb of the host machine’s memory. This could be repeated by hackers, to read more data placing information like usernames, passwords and connection logs at risk.

The OpenVPN developers responded quickly, releasing a patch for the affected versions of their server software. They noted that OpenVPN combined SSL connections with TLS-auth, which digitally signs data packets to verify their integrity. The software also uses Perfect Forward Security, generating encryption keys for every session. It means even if a bad actor online discovers the keys, they couldn’t use them to decode your data the next time your device connected to an OpenVPN server. The vulnerability only affected servers, not mobile devices, which used a different SSL library called PolarSSL (now known as Mbed TLS). 

The OpenVPN website maintains a list of possible security issues including another OpenSSL vulnerability which was discovered in November 2022, though once again this is easy to fix simply by updating the server software. 

There are other vulnerabilities within the OpenVPN Access server software but almost all of them rely on the software not being properly configured or updated. Using a reliable VPN should mitigate this issue.

Uncertain future 

OpenVPN has been one of the best VPN protocols for a long, long time. But some think its reign might be coming to an end.

New protocols such as WireGuard, NordVPN’s custom Wireguard solution NordLynx, and ExpressVPN's Lightway have simpler, stripped-back designs. They throw out most of OpenVPN’s functionality to concentrate only on the core VPN essentials. And although that makes them relatively short on features, there are big compensations, including faster connection times, and a potential doubling of your download speeds.

As protocols like Wireguard only support newer encryption schemes, they can be safer to use compared to OpenVPN, which tries to support as many encryption schemes as possible, even older ones such as 3DES. For example, ExpressVPN’s Lightway protocol is based on WolfSSL, not OpenSSL, so it doesn’t share OpenSSL’s specific weaknesses like Heartbleed. It’s also designed to run efficiently, even on devices with low resources, so some users may find it offers faster connections. 

Newer protocols have some disadvantages, though. Fewer features means they're not as widely supported as OpenVPN, nor available on as many platforms. WireGuard doesn't have as many privacy features as you get with OpenVPN, and as it doesn't support TCP, it may not be as reliable in some situations sinceTCP takes the time to verify that data has been sent correctly and can resend any missed packets.  

OpenVPN overall 

The advent of Wireguard, Nordlynx and Lightway could mean OpenVPN is no longer the first-choice protocol for most VPN users. If WireGuard works for you, and doubles your speeds, then by all means use it.

OpenVPN is still useful as a fallback choice - a more reliable and versatile protocol that works even in the tricky situations where others fail. And its flexibility and feature set means it remains one of the most important VPN technologies around.

Whichever protocol you choose, remember that open-source technology offers the best security guarantees, with the code being constantly reviewed by the community. This is why connecting to an OpenVPN server via the FOSS OpenVPN Connect is extremely safe, and you’ll also find open-source clients available for Wireguard. On the other hand, if you choose if you choose Lightway, remember you’re also choosing ExpressVPN, as the protocol isn’t currently supported by other providers. 

Nate Drake is a tech journalist specializing in cybersecurity and retro tech. He broke out from his cubicle at Apple 6 years ago and now spends his days sipping Earl Grey tea & writing elegant copy.