What Is OpenVPN & How Does OpenVPN Work?

How Does OpenVPN Work?

The OpenVPN protocol is responsible for handling client-server communications. Basically, it helps establish a secure “tunnel” between the VPN client and the VPN server.

When OpenVPN handles encryption and authentication, it uses the OpenSSL library quite extensively. Also, OpenVPN can use either UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) to transmit data.

If you’re not familiar with TCP and UDP, they are transport layer protocols, and are used to transmit data online. TCP is more stable since it offers error correction features (when a network packet is sent, TCP waits for confirmation before sending it again or sending a new packet). UDP doesn’t perform error correction, making it a little less stable, but much faster.

OpenVPN works best over UDP (according to OpenVPN.net), which is why the OpenVPN Access Server first tries to establish UDP connections. If those connections fail, only then does the server try establishing TCP connections. Most VPN providers also offer OpenVPN over UDP by default.

Due to the way it’s programmed (it’s a custom security protocol), the OpenVPN protocol can easily bypass HTTP and NAT.

Unlike most VPN protocols, OpenVPN is open-source. That means its code isn’t owned by just one entity, and third-parties can always inspect it and continuously improve it.

OpenVPN Explained In-Depth – General Technical Details

• Generally, OpenVPN uses 256-bit OpenSSL encryption. To further strengthen the security of the connection, OpenVPN can use the AES, Camellia, 3DES, CAST-128, or Blowfish ciphers.
• While OpenVPN doesn’t have any support for L2TP, IPSec, and PPTP, it uses its own custom protocol based on TLS and SSL.
• OpenVPN supports the improving of login and authentication processes with the use third-party plugins and scripts.
• Clients can actually connect to servers beyond the OpenVPN server since it offers support for a private subnet configuration.
• To protect users from buffer overflow vulnerabilities in TLS/SSL implementations, DoS attacks, port scanning, and port flooding, OpenVPN relies on tls-auth for HMAC signature verification. OpenVPN is also programmed to drop privileges if necessary, and run in a chroot jail dedicated to CRL.
• OpenVPN runs in user space instead of kernel space.

The protocol has even undergone two security audits back in 2017 – one audit only found very minor issues that didn’t endanger user data, and the other audit only found two bugs (which were actually fixed very quickly).

Plus, the OpenVPN.net platform also has a large in-depth list of what users can do to further secure their connections after configuring OpenVPN on their devices. And since it’s an open-source protocol, it’s much more trustworthy since you can check out the code yourself (if you’re experienced with that) to make sure everything is in order.

How to Use OpenVPN

OpenVPN isn’t exactly the most user-friendly protocol out there, and setting up a connection can be a bit daunting.

In this section, we’re going to cover the Windows setup process since it was the most requested. The Android and iOS setup processes follow similar steps as the ones we’ll discuss here. Installing and using OpenVPN on Linux is pretty complex, but here’s the main way to do it (also, some extra information can be found here).

Now, before we move on, we should mention that in order to set up an OpenVPN connection, you’ll need a subscription to a VPN service. While you can set up your own OpenVPN server, it’s extremely difficult, and most tutorials that are available online only cover Linux platforms.

With that out of the way, here are the main things you need to know about using the OpenVPN protocol:

1. First, Get the Configuration Files

In order to connect to your provider’s servers, OpenVPN will require certain configuration files which define how a connection is carried out. As long as you choose a decent VPN provider, you should be able to find all the configuration files you need on their Downloads page.

The configuration files usually come archived, and you’ll need to unzip them. The most important files will be the OVPN ones.

2. Install the OpenVPN Client

Once you have the configuration files, you need to install the OpenVPN client on your device. You can easily find the installers you need on the Downloads page on OpenVPN.net. Just run the installer, accept the default options, choose a different install destination folder if you want, and proceed with the installation process.

When finished, your default text viewer might open a new file to showcase a guide containing technical details. You can read it if you want, but it’s safe to close the file at this point too.

3. Now, Import the VPN Data

To start OpenVPN, you need to launch the OpenVPN GUI application. It will add the service to your System Tray (the small task bar in the lower right corner). Next, copy over all the OVPN files you downloaded to the “Config” subfolder within the OpenVPN installation folder.

Now, if you click on the OpenVPN icon in your System Tray, you should be able to see the names of all the files you just copied. If it’s easier for you, you can rename the files.

4. Establishing the Connection

To connect to a server, just click on the OVPN files in the OpenVPN application. When prompted, type in your login credentials. If everything goes okay, you should see a log screen with some status commands, which will disappear when the connection is established.

You should get a desktop notification letting you know the connection was successful. Also, if you look at the OpenVPN icone, you should see a green screen. When you hover over it, you’ll see a tooltip telling you the name of the server and your new IP address.

At this point, you can try testing the connection to make sure everything is in order.

To disconnect, simply click the OpenVPN icon, choose the server you’re connected to, and click on “Disconnect.”

5. Tweaking Settings (Basic and Advanced)

The OpenVPN application doesn’t have many settings, but you can still play around with some of them.

For example, you can go into “Settings” and make sure that OpenVPN automatically launches when you start up your operating system. You can also get rid of the log screen that pops up when you connect to a server by checking the “Silent Connection” option. And be careful with the “Never” option as it disables desktop notifications.

In case you want to further tweak you connections, you can open the OVPN files themselves (we recommend doing it with WordPad) to see what commands are assigned to them. If you’re knowledgeable enough, you can edit the existing commands or add new ones. Some commands that might be of interest to those of you who are more experienced include:

• The “proto” command – This command is used to switch between UDP or TCP. Just add the protocol name after the command, like so: “proto udp.”
• The “remote” command – That’s the line which tells OpenVPN the name of the server you want to use. It usually includes the port after the VPN server name as well. If you know of alternative ports your provider uses, you can switch between them here.
• The “tun-mtu” command – This stands for Maximum Transmission Unit value. It’s usually set somewhere around 1500, but you can try changing it to increase performance.

Besides that, you can check the “doc” subfolder in your OpenVPN installation folder for more advanced documentation that can show you how to do other things (like setting up scripts for when your VPN disconnects, or blocking DNS leaks). You can also check the Reference Manual that’s available on OpenVPN.net for more information.

OpenVPN Advantages and Disadvantages

Need a Reliable VPN That Offers the OpenVPN Protocol?

CactusVPN is just what you’re looking for. We offer both UDP and TCP OpenVPN protocols, and everything comes already configured for you. All you need to do is install our app, connect to one of our 30+ high-speed servers, and enjoy your online experience

In terms of security, our OpenVPN connections are very versatile. You can enjoy powerful ciphers like AES and Camellia, and SHA-256, SHA-384, SHA-512, and RMD-160 for authentication encryption.

Plus, we don’t just offer the OpenVPN protocol. Besides it, you can actually use five other VPN protocols too: SoftEther, IKEv2/IPSec, SSTP, L2TP/IPSec, PPTP.

Top-Notch Cross-Platform Compatibility + Ease of Use

Just like the OpenVPN protocol, our service works on multiple operating systems and devices too. Here’s a list of the platforms you can install our user-friendly applications on: Windows, Android, Android TV , macOS, iOS and Fire TV.

Special Deal! Get CactusVPN for $3.5/mo!

And once you do become a CactusVPN customer, we’ll still have your back with a 30-day money-back guarantee.

Save 64% Now

OpenVPN vs. SSTP

SSTP and OpenVPN are pretty similar since they both use SSL 3.0, and both VPN protocols can use port 443. They also offer a similar level of security, as both protocols can use 256-bit encryption and the highly-secure AES cipher.

However, OpenVPN is open-source, meaning it’s much more trustworthy than SSTP, which is solely owned by Microsoft – a company that is known to collaborate with the NSA and FBI.

Also, when it comes to firewalls, OpenVPN seems to fair a bit better than SSTP. How come? Well, here’s a lesser-known fact about SSTP – according to Microsoft themselves, the protocol doesn’t actually support authenticated web proxies. What that means is that the network admin could theoretically detect SSTP headers and drop the connection if a non-authentication proxy is used.

In terms of speeds, it’s been claimed that SSTP is faster than OpenVPN, but there’s not a lot of conclusive evidence. It’s true that OpenVPN can be pretty resource-intensive, but that’s usually when it uses the TCP port (the same one SSTP uses). However, OpenVPN can also use the UDP port, which offers much better speeds.

As for cross-platform compatibility, OpenVPN has the upper hand since it works on significantly more platforms than SSTP, which is only available on Windows, Linux, Android, and routers. Still, it is worth mentioning that SSTP is natively built into Windows platforms, so it’s easier to set up than OpenVPN.

Overall, both OpenVPN and SSTP are a decent choice, but OpenVPN is simply more efficient. In case you’d like to learn more about SSTP, check out this article.

OpenVPN vs. WireGuard^®

OpenVPN uses the OpenSSL library to implement all sorts of cryptographic algorithms (the most popular being AES-256). WireGuard uses modern, fixed algorithms (you can’t change them) to allegedly avoid misconfigurations that result in security vulnerabilities. Overall, they both offer excellent security.

WireGuard is without a doubt faster than OpenVPN. Its code base is much more lightweight (roughly 4,000 lines compared to 70,000 – 600,000 lines), and it uses CPU cores more efficiently. In our tests, WireGuard was faster even when we used OpenVPN over UDP.

Want to find out more about Wireguard? Then check out this article.

OpenVPN vs. SoftEther

It’s safe to say that both OpenVPN and SoftEther are really secure protocols. They’re open-source, use military-grade ciphers like AES, utilize 256-bit encryption, and also use SSL 3.0. The main difference between them is the age – SoftEther is much newer than OpenVPN. Because of that, some people feel like OpenVPN is much more reliable.

In terms of speed, SoftEther fares better than OpenVPN. In fact, according to the research from the University of Tsukuba (the people behind SoftEther VPN, so not a 100% subjective source), the SoftEther protocol is supposed to be 13 times faster than the OpenVPN protocol.

Both protocols work on a decent number of platforms, but SoftEther seems to be a bit easier to set up than OpenVPN. However, you should know that even if you use a VPN provider who offers SoftEther connection, you’ll still need to download additional software for it to run. With OpenVPN, that’s optional.

Like OpenVPN, SoftEther can also run its own server, but the SoftEther server can actually run the OpenVPN protocol, alongside other protocols like IPSec, L2TP/IPSec, SSTP, and SoftEther. The OpenVPN server can only run its own custom protocol.

In the end, SoftEther is a solid OpenVPN alternative. If – for whatever reason – you can’t use OpenVPN, you should try SoftEther. If you’d like to know more about it, follow this link.

OpenVPN vs. PPTP

For starters, PPTP is significantly weaker than OpenVPN in terms of security. While OpenVPN can handle 256-bit encryption keys and ciphers like AES, PPTP can only use 128-bit keys through the MPPE cipher. Unfortunately, MPPE encryption is very easy to exploit – here are just a few issues:

• MPPE is vulnerable to bit-flipping attacks.
• MPPE can’t encrypt NCP (Network Control Protocol) PPP (Point-to-Point Protocol) packets.
• The cipher doesn’t usually check if the server is authentic.
• MPPE is vulnerable to the Reset-Request attack (a form of Man-in-the-Middle Attack)

Also, PPTP can use MS-CHAP-v1 (which isn’t secure) or MS-CHAP-v2 (again, not safe at all) for authentication. OpenVPN is much more secure since it can use better encryption for authentication, such as SHA-256, SHA-384, or SHA-512.

Furthermore, PPTP is pretty easy to block with a firewall. OpenVPN can’t really be blocked by the network admin since it uses the HTTPS port. Oh, and let’s not forget that the NSA can apparently crack PPTP traffic.

Pretty much the only way PPTP is better than OpenVPN is when it comes to online speeds and being natively available on multiple platforms. Due to its poor encryption, PPTP is very speedy. And while OpenVPN is highly cross-platform compatible, it’s not natively integrate into as many platforms as PPTP. Though, it’s worth mentioning that PPTP might no longer be natively available in future operating systems and devices. For example, the protocol hasn’t been available on macOS and iOS devices since macOS Sierra and iOS 10.

If you’d like to read more about the PPTP protocol, we’ve already got an in-depth article on it.

OpenVPN vs. L2TP/IPSec

Like PPTP, L2TP/IPSec is natively available on many platforms. So, setting it up is much easier than setting up OpenVPN. Though, if you use a VPN service, you won’t notice any differences. On the other hand, L2TP/IPSec uses less ports than OpenVPN, and it doesn’t use port 443. So, it’s easier for the protocol to be blocked by a NAT firewall.

While L2TP/IPSec isn’t entirely owned by Microsoft (since it was also developed by Cisco), it’s still not as trusted as OpenVPN which is open-source. Also, it’s important to note that Edward Snowden has previously claimed that L2TP was intentionally weakened by the NSA.

Oh, and speaking of security, you need to know that L2TP on its own offers 0 encryption. That’s why it’s always paired up with IPSec. Plus, even though OpenVPN on TCP can sometimes be a resource-hog, L2TP/IPSec is very resource-intensive too (depending on how powerful your device is) because it encapsulates data twice.

If you want to find out more about L2TP/IPSec, here’s a useful link.

OpenVPN vs. IPSec

IPSec is often paired up with L2TP and IKEv2, but you might find VPN providers who offer access to this protocol on its own.

So, how does it fare against the OpenVPN protocol? Well, both of them offer a similarly decent level of security. Though, you need to be more careful with IPSec when configuring it, since a small mistake can ruin the protection it offers. Also, since IPSec occupies kernel space (the space on the device reserved for the operating system), its security can be limited by the way it’s configured by the vendor. That also makes IPSec less portable than OpenVPN, which uses user space (system memory allocated to applications).

IPSec is usually natively available on many platforms, while OpenVPN has to be manually configured on them. Naturally, that’s not a problem if you use a VPN service. Another thing worth noting is that IPSec traffic can sometimes be blocked by some firewalls, while OpenVPN UDP or TCP packets don’t have such issues.

As for speeds and stability, both are pretty decent if you have enough bandwidth and a relatively powerful device. Still, you should know that IPSec might take longer to negotiate the tunnel than OpenVPN does.

Interested in finding out more about IPSec? Check out this article.

OpenVPN vs. IKEv2/IPSec

OpenVPN and IKEv2 are both secure protocols, but it’s worth noting that OpenVPN uses TLS/SSL to secure data at the Transport level, while IKEv2 secures data at the IP level. Generally, that’s not a huge difference, but it’s good to know about it nonetheless. And while IKEv2 was developed by Cisco together with Microsoft, that’s not such a huge issue since there are open-source implementations of IKEv2.

OpenVPN offers more support when it comes to cross-platform compatibility, but IKEv2 is usually a favorite of mobile users because it’s natively integrated into BlackBerry devices. Also, IKEv2 tends to offer better stability than OpenVPN because it can resist network changes. What does that mean? That if, for example, you were to switch from a WiFi connection to your data plan connection on the go, IKEv2 could handle that without dropping the connection.

Besides that, you should know that IKEv2 tends to be faster than OpenVPN, but it’s also easier to block than the OpenVPN protocol. Why? Because IKEv2 uses UDP port 500, and network admins have an easier time targeting it than port 443, which is usually used by OpenVPN.

Overall, we’d say that IKEv2 is a better choice than OpenVPN if you use your mobile phone a lot – especially when you travel abroad. Otherwise, you should just stick to OpenVPN.

In case you’d like to read more about IKEv2, follow this link.

So, Why Use OpenVPN and When Should You Do It?

The main reason to use the OpenVPN protocol is because it’s very secure, really stable, and it works on multiple platforms. Most security experts recommend always using OpenVPN for anything you do online – especially since it’s such a transparent option (due to it being open-source).

Regarding when to use OpenVPN, it’s an appropriate VPN protocol for whenever you want to secure your online connections – be it when you’re gaming online, downloading torrents, or about to become a whistleblower. OpenVPN is also a good choice when you need to bypass a firewall – whether you’re unblocking geo-restricted content or just unblocking websites at work or school.

The Bottom Line – What Is OpenVPN?

OpenVPN is both an open-source VPN protocol and VPN software that enables people to run secured VPN connections. Most VPN providers offer this protocol because it’s very secure (it uses the OpenSSL library and 256-bit encryption) and it works across multiple platforms. OpenVPN is considered the best choice among VPN protocols, with only WireGuard and SoftEther being able to rival it.

Generally, you should choose a VPN provider that provides access to OpenVPN connections, but which also offers access to other VPN protocols.