OpenVPN is an open source program, which is widely used to provide most of the VPN services that are currently available in the world today. You may see it referred to as a “protocol.” This is not strictly true. Read on to learn what a protocol is, what “open source” means, and how OpenVPN goes about protecting internet connections.
VPN Protocols and Programs
A protocol is a set of rules. A lot of protocols have been published for communications technology, and most of them are available to anyone free of charge. The reason for this is that more facilities and programs will be made available for communications if lots of different teams around the world are incentivized to create them.
If a software company wants to develop a program for the internet and hopes to make lots of money from it, it needs to make sure that the program is able to communicate with software developed by other companies around the world. There would be no point in a company coming up with its own set of rules, such as “a ring signal will be identified by a message with code 47 in it,” because software produced by another team might be written to look for code 60 to signify a ringtone. Thus, it is in everyone’s interests to follow a set of rules that is universally known.
Think of protocols as guidelines. If a software company follows specific protocols, its programs are guaranteed to work over the internet.
“VPN protocols” are not computer programs, but programs are written that follow protocols. The Hypertext Transfer Protocol has “protocol” in its name – this is the “HTTP” that you often see at the beginning of the address bar in your web browser. The most commonly used security protocol on the web is HTTPS, which stands for HTTP Secure.
OpenVPN is a program, not a protocol. The procedures written into the code of the program follow a lot of different protocols.
Open Source Programs
An open source program is a bit like a cross between a protocol and a program. This is because the people who write open source programs make the source code available to anyone. Generally, open source programs are written by non-profit organizations and encourage the involvement of volunteer programmers to develop newer versions.
Although anyone can access open source programs, the organizations that look after them usually want to make sure that everyone uses the same version. Thus, if a company uses the code, they have to share customizations with everyone else. The committee managing the program might decide to allow the changes and include them in a new version of the program, or promote the changes as a different variation, which is available to everyone – this is termed a “fork.”
OpenVPN is an open source program managed by OpenVPN Technologies, Inc.
OpenVPN uses a process called “tunneling.” Note that this method is spelt the American way, with one “l,” even when it is written in a British document.
Tunneling involves protecting the information held in data packets that travel over the internet. All communication over the internet is carried out by a series of messages. The structure that carries these messages is laid down in the Internet Protocol, and so it is called an IP packet. Each message has a payload (which may be empty), which is preceded by a header.
Many security methods, including HTTPS, involve encrypting the contents of a packet’s payload, so it is meaningless to any wire-tapper or snooper. With tunneling, the header of each packet is encrypted as well. The packet header is there for a reason. It carries a number of fields that enable communication. The two main fields are the addresses of the source and destination of each packet.
Data travels across the internet by passing through a series of routers. Each router reads the destination address of the packet and forwards it on to its nearest neighbor, which then passes the packet on to another router. If the header of a packet is encrypted, no router can read the destination address. In order to get the packet over the internet, the entire, encrypted packet is carried in the payload of an outer packet, which doesn’t have its header encrypted.
Given that the actual traffic of a connection has to be repackaged, the OpenVPN methodology relies on a third party mediating all communications. The client has to send everything that is transmitted out of the computer over the internet to a specific address. This is the viewable address shown in the outer packet. The mediating server has to be able to decrypt the original packet so that it can send it on to its intended destination.
The cooperation between VPN client and VPN server lies at the heart of the OpenVPN system. It is the encryption procedures that define the service.
OpenVPN follows a number of different protocols to complete the task of creating a virtual private network. The encryption method used to encode the carried packet is based on OpenSSL. This is an implementation of the Secure Socket Layer, which provides the security measures used in HTTPS.
OpenSSL is not actually a protocol. Like OpenVPN, it is freely available source code. Unlike OpenVPN, this package of code is not termed a program, but is actually a library of procedures. Although OpenSSL includes procedures that implement SSL, which gives it its name, it is accessed for its Transport Layer Security (TLS) protocol implementation. The Secure Socket Layer was found to have a few security flaws, so the Transport Layer Security protocol was written to replace it. Thus, OpenVPN uses TLS, as does HTTPS. Nowadays, whenever you read that something uses SSL, it actually uses TLS.
OpenVPN Encryption Methods
The OpenVPN source code provides a number of security options. Therefore, not every implementation of the program results in the use of identical encryption methods. The encryption options offered by the OpenSSL library cover a total of 14 different ciphers. In practice, most OpenVPN systems will be implementations of either AES or Blowfish. Of these two, the most frequently used by far is AES.
The Advanced Encryption Standard (AES) was commissioned by the National Institute of Standards and Technology (NIST) in the USA. NIST wanted to find a reliable encryption system that the US government could use. This led to the creation of AES in 2001. AES is now the most widely used symmetrical key cipher system in the world.
A symmetrical key system requires both sides of a connection to possess the same key. That key is applied to the data to scramble it, and the decryption process uses the same key. That key can be 128-bit, 192-bit, or 256-bit. In almost every OpenVPN implementation, the 256-bit key is used. The importance of the length of the key is that longer keys create ciphers that are harder to crack.
One way to crack an encryption is to guess the key. A 256-bit encryption key would take 3.31 times 10 to the power of 65 tries to get right – that’s 3,310 with another 61 zeros trailing after it. According to Douglas Crawford of BestVPN.com, that number is roughly equal to the number of atoms in the known universe.
The method is complicated. It involves transforming the data by the key number 14 times over.
Blowfish is also a symmetrical key system. It is older than AES and it has never been cracked. You may wonder why there is an alternative to AES, given that it is so secure that the US government uses it. The answer is that many are suspicious of the government. Some believe that the government purposefully promotes AES because it knows how to get around it.
OpenVPN Key Exchange
You may be wondering how a symmetrical system can be totally secure. If all communication is carried out with both sides having the same key, then how do they both get that key in the first place? Another issue is that changing the key frequently makes the encryption system more secure.
This is because it might be possible for someone to acquire the key by some method. If the key is changed, then the snooper will have to start all over again to try to get the new key. The best systems use a different key for each session.
How do both sides safely end up knowing the same key? The OpenVPN system includes three methods and each implementer can choose one of them. The first two systems rely on public key encryption. This is an asymmetrical system – the key that decrypts a cipher is different to the one that encrypts it.
You may have surfed to a website that has “https://” in front of its address, only to get a warning message saying that the site cannot be trusted because its certificate is out of date. This is one of the security methods that OpenVPN uses to distribute AES and Blowfish keys.
On connecting to the server, the client software requests the server’s certificate. It then checks the details of that information against a third-party database to make sure that they match. The certificate includes a public key. The client encrypts a key with that public key, then sends it to the server. The server then uses its own private key to decrypt the message. It selects a key for the session, encrypts it with the key that the client sent, and replies to the original message. The client then has the same key as the server and the AES or Blowfish encrypted session can begin.
The second method is almost identical, only it disposes of certificates. In both of these methods, RSA public key encryption is used. RSA stands for Rivest, Shamir, Adelman, which are the surnames of the inventors of the cipher. The encryption key is 1,024 bits long – four times the length of the AES key.
The third encryption key distribution method available in the OpenSSL library requires the use of usernames and passwords. However, this method is rare.
OpenVPN Guide Conclusions
OpenVPN is generally reckoned to be the most secure method of creating VPNs. Those who worry that the US government might be pushing the AES standard for a reason, might feel happier choosing an OpenVPN implementation that uses Blowfish instead.
OpenVPN is just one of a range of encryption standards available. Many VPN services offer a choice of systems, which the user can switch between by looking in the settings section of the VPN interface app. Some people prefer not to use OpenVPN as the work needed for the 14 rounds of encryption on every packet can sometimes slow the connection down a bit.
Those who aren’t too bothered about privacy, but want speed instead, often opt for PPTP encryption. The Point-to-Point Tunneling Protocol was invented by Microsoft and integrated into Windows 95. It is generally favored by online gamers and video streamers, where security issues are not life-threatening.
The next time you browse for a new VPN service, read through the description of the system to see whether it uses OpenVPN, and which underlying encryption system its implementation operates.