by Florin Andrei on Mar 26, 2004
1. The many ways of VPN
Essentially, there are three ways to implement a VPN:
1. A proprietary solution, using an appliance-like VPN server, such as Cisco VPN, based on IPSec
2. An Open Source implementation of IPSec, such as FreeS/WAN
3. A non-IPSec VPN, like OpenVPN
The proprietary solutions, such as Cisco, are scalable, you usually get good support and are pretty well documented. On the other side, they can be extremely expensive (unless you choose to cheat and combine the VPN function into an existing firewall or similar device, which is pretty bad from several points of view); also, proprietary solutions tend to lock you into whatever features the vendor provides – if you want to (or have to) deviate even a little bit from the One True Way, you can easily be left in the dust.
The Open Source implementations of the IPSec protocol are nice because they are able to interoperate with pretty much any other IPSec-based VPN; being Open Source, they are also cheap. On the other side, if you try to implement such a solution, like FreeS/WAN for example, you will face significant issues:
* there is no good and free IPSec VPN client for Windows; if you don’t use a commercial VPN client, you’ll have to go through an extremely convoluted procedure to setup a Windows client
* IPSec is not exactly a firewall-friendly protocol, especially in NAT environments; often, your customers will fail to connect to the VPN server just because some firewall in between decided it doesn’t like your connection 🙂
Enter OpenVPN – http://openvpn.sourceforge.net/:
* it is an Open Source VPN software, hence it’s free
* it works on Linux as well as on Windows, but also on Solaris, BSD, etc.
* installing a client, especially on Windows, is very simple
* it is trivial to automate the client, hence it works very well when the client is not a workstation controlled by a human, but it’s an isolated appliance (or kiosk) in a remote place
* it is not only firewall-friendly, but it is able to actually circumvent firewalls when clients are in restrictive environments (by using HTTP proxies to tunnel the VPN connection)
* has sophisticated and intelligent compression algorithms that can save bandwidth on your VPN connections
* can perform traffic-shaping to limit the bandwidth usage on a given tunnel
* does not have problems if clients are on DHCP networks and change their address while being connected
* has a rich and flexible palette of encryption schemes that include popular strong-crypto algorithms, based on the OpenSSL library (it’s using the SSL API to perform the encryption)
There is usually one thing that people get wrong when they hear about OpenVPN: even though it’s based on SSL, it is not a browser-based pseudo-VPN; instead, it is a full-blown VPN solution, that can tunnel any arbitrary protocol. You can even ping through it, and a browser is not required at all. Functionally, it is a perfect equivalent to Cisco VPN or FreeS/WAN, except the fact that the encryption is not based on IPSec, but instead it encapsulates the IP packets in a tunnel encrypted with SSL. Let’s say it’s a “free form” implementation of SSL that happens to be able to tunnel arbitrary IP traffic.