Problem solve Get help with specific problems with your technologies, process and projects.

OpenVPN: An open source alternative to Windows VPNs

Depending on your network needs, you may want to deploy an IPSec VPN to provide secure remote access to your workforce. Cost-conscious Windows shops will often stick with Windows offerings, but this article from Justin Korelc and Ed Tittel describes an open source VPN alternative called OpenVPN that is both scalable and simple.

This tip originally appeared on

Virtual private networks, or VPNs, are obviously the most secure solution for allowing mobile employees to access...

the corporate network from outside the premises. But because VPNs are easily broken by network address translation (NAT) or stifled by restrictive ACL rules, they pose interesting challenges to enterprise network administration policy and procedure in terms of configuration, implementation and usage.

IPSec-derived VPN solutions can be confusing to inexperienced administrators; they are difficult to configure because so many parameters are involved. Worse yet, IPSec operates in kernel mode, an excellent leverage point for potential attackers.

Enter OpenVPN. OpenVPN's key advantages lie in its simplified security architecture, modular network design and cross-platform compatibility. Because OpenVPN is derived from SSL/TLS, it works with virtually every firewall. It is globally accessible through an Internet connection and an HTTPS-capable Web browser. Virtual tunnel/tap (tun/tap) devices do the heavy lifting, which makes this software less complex and more flexible than kernel-based IPSec components. This architecture also provides cross-platform capability; OpenVPN can run on platforms from BSD (FreeBSD, NetBSD, OpenBSD) and Mac OS X to Linux and Windows.

The tun/tap framework also means that all remote traffic negotiated through an OpenVPN tunnel can be recognized and handled at the company firewall and subsequently shaped by internal quality-of-service policies. On the server side, OpenVPN provides proxy support for TCP and UDP tunnels and even multiple inbound connections to a single port. Because OpenVPN operates in both layer 2 bridging and layer 3 routing modes, it can handle otherwise non-routable protocols such as NETBIOS.

OpenVPN is scalable; it permits creation of numerous endpoints through scripted interactions that work with push/pull options. This lets central servers quickly configure remote computers in a way that's completely transparent to end-users. Furthermore, NAT traversal and flexible dynamic IP allocation support enables OpenVPN to cope with constantly changing client addresses with minimal interruption to ongoing communications. As a result, quick reconnect times are yet another key benefit of the OpenVPN framework.

OpenVPN's ultra portable framework means it can operate on numerous operating systems, including Windows. Its front-end client can be specially packaged to install and operate without administrative privileges using a client configuration file that's fewer than 20 lines long (shown in a text block following this paragraph). This lightweight, portable, cross-platform SSL/TLS solution is ideal for on-the-go administrators, executives, mobile service technicians and any enterprise employees that need remote access to internal company resources.

Example OpenVPN client-side configuration:

 proto udp
 dev tun
 remote 3030
 resolv-retry infinite
 ca ca.crt
 cert my-example.crt
 key my-example.key
 verb 2
Source: How to Run OpenVPN as a non-admin user in Windows

Justin Korelc is a longtime Linux hacker and system administrator who concentrates on hardware and software security, virtualization and high-performance Linux systems. Ed Tittel is a full-time freelance writer based in Austin, Tex., who specializes in markup languages, information security, networking and IT certification. Both Justin and Ed have contributed to books on Home Theater PCs and the Linux-based MythTV environment, and they write regularly about Linux for various TomsHardware sites.

This was last published in August 2006

Dig Deeper on Windows Server and Network Security

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.