Tag Archive | "openvpn connect"

PPTP, L2TP, OpenVPN, SSTP and IKEv2 Function

Edward Snowden has revealed that the NSA has for years been working on how to overturn VPN encryption technologies, We will make a rundown of the major differences between the different VPN protocols and how they affect you, as a VPN user.


PPTP is an acronym for Point-to-Point Tunneling Protocol. It was developed by a consortium founded by Microsoft for creating VPN over dialup networks, and as such has long been the standard protocol for internal business VPN. It is a VPN protocol only, and relies on various authentication methods to provide security. Available as standard on just about every VPN capable platform and device, and thus being easy to set up without the need to install additional software, it remains a popular choice both for businesses and VPN providers. It also has the advantage of requiring a low computational overhead to implement, making it very fast.

However, although now usually only found using 128-bit encryption keys, in the years since it was first bundled with Windows 95 OSR2 back in 1999, a number of security vulnerabilities have come to light, the most serious of which is the possibility of unencapsulated MS-CHAP v2 Authentication. Using this exploit, PPTP has been cracked within 2 days, and although Microsoft has patched the flaw (through the use of PEAP authentication), it has itself issued a recommendation that VPN users should use L2TP/IPsec or SSTP instead.

Knowing that PPTP was insecure anyway, it came as no surprise to anybody that the NSA almost certainly decrypts PPTP encrypted communications as standard. Perhaps more worrying is that the NSA has (or is in the process of) almost certainly decrypted the vast amounts of older data it has stored, which was encrypted back when even security experts considered PPTP to be secure.

L2TP and L2TP/IPsec

Layer 2 Tunnel Protocol is a VPN protocol that on its own does not provide any encryption or confidentiality to traffic that passes through it. For this reason it is usually implemented with the IPsec encryption suite (similar to a cipher, as discussed below) to provide security and privacy.

L2TP/IPsec is built-in to all modern operating systems and VPN capable devices, and is just as easy and quick to set up as PPTP (in fact it usually uses the same client). Problems can arise however, because the L2TP protocol uses UDP port 500, which is more easily blocked by NAT firewalls, and may therefore require advanced configuration (port forwarding) when used behind a firewall (this is  unlike SSL which can use TCP port 443 to make it indistinguishable from normal HTTPS traffic).

IPsec encryption has no major known vulnerabilities, and if properly implemented may still be secure. However, Edward Snowden’s revelations have strongly hinted at the standard being compromised by the NSA, and as John Gilmore said, it is likely that it has been been deliberately weakened during its design phase.

L2TP/IPsec encapsulates data twice which slows things down, but this is offset by the fact that encryption/decryption occurs in the kernel and L2TP/IPsec  allows multi-threading (which OpenVPN does not.) The result is that L2TP/IPsec is theoretically faster than OpenVPN.


OpenVPN is a fairly new open source technology that uses the OpenSSL library and SSLv3/TLSv1 protocols, along with an amalgam of other technologies, to provide a strong and reliable VPN solution.  One of its major strengths is that it is highly configurable, and although it runs best on a UDP port, it can be set to run on any port, including TCP port 443. This makes traffic on it impossible to tell apart from traffic using standard HTTPS over SSL (as used by for example Gmail), and it is therefore extremely difficult to block.

Another advantage of OpenVPN is that the OpenSSL library used to provide encryption supports a number of cryptographic algorithms (e.g. AES, Blowfish, 3DES,  CAST-128, Camellia and more), although VPN providers almost exclusively use either AES or Blowfish. 128-bit Blowfish is the default cipher built into OpenVPN, and although generally considered secure, it does have known weaknesses, and even its creator was quoted in 2007 as saying ‘at this point, though, I’m amazed it’s still being used. If people ask, I recommend AES instead, because it is the newer technology, and has no known weakness.

How fast OpenVPN performs depends on the level of encryption employed, although technically speaking IPSec is faster than OpenVPN because encryption/decryption is performed in the kernel, and because it allows for multi-threading, which OpenVPN does not.

OpenVPN has become the default VPN connection type, and while natively supported by no platform, is widely supported on most through third party software (including  both iOS and Android).

Perhaps most importantly in light of the information obtained from Edward Snowden, it seems that as long as Perfect Forward Secrecy (ephemeral key exchanges, which we discuss later) is used, then OpenVPN has not been compromised or weakened by the NSA.

Although no-one knows the full capabilities of the NSA for sure, both the evidence and the mathematics strongly point to OpenVPN, if used in conjunction with a strong cipher and ephemeral keys, being the only VPN protocol that can be considered truly secure. Unfortunately, not all VPN providers use PFS when implementing OpenVPN…


Secure Socket Tunneling Protocol was introduced by Microsoft in Windows Vista SP1, and although it is now available for Linux, RouterOS and SEIL, it is still largely a Windows-only platform (and there is a snowball’s chance in hell of it ever appearing on an Apple device!*). SSTP uses SSL v3, and therefore offers similar advantages to OpenVPN (such as the ability to use to TCP port 443 to avoid NAT firewall issues), and because it is integrated into Windows may be easier to use and more stable.

However unlike OpenVPN, SSTP is a proprietary standard owned by Microsoft. This means that the code is not open to public scrutiny, and Microsoft’s history of co-operating with the NSA, and on-going speculation about possible backdoors built-in to the Windows operating system, do not inspire us with confidence in the standard.


Internet Key Exchange (version 2) is an IPSec based tunnelling protocol that was jointly developed by Microsoft and Cisco, and which is baked into Windows 7 and above. The standard is supported by Blackberry devices, and independently developed (and largely compatible) versions of IKE have been developed for Linux (through various open source implementations) and other operating systems. As always, we are wary of anything developed by Microsoft, but if open source versions are used then there should be no problem.

Dubbed VPN Connect by Microsoft, IKEv2 is particularly good at automatically re-establishing a VPN connection when users temporarily lose their internet connections (such as when entering or leaving a train tunnel).

Mobile users in particular, therefore, benefit the most from using IKEv2, which, because of its support for the Mobility and Multihoming (MOBIKE) protocol, also makes it highly resilient to changing networks. It’s good news for cell phone users, who regularly switch between hotspots.

IKEv2 is even more useful to Blackberry users, as it is one of the few VPN protocols supported by Blackberry devices.


Posted in UncategorizedComments (0)

How Open VPN Works

First of all, what is this OpenVPN that you might have seen its software before, and not installing it?

OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS (Note: SSL makes a website secure by encrypting vital information) for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL). It may be important to note that GNU General Public License is a widely used free software license, which guarantees end users the freedom to run, study, share and modify the software.

OpenVPN allows peers (Interconnected nodes) to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features. We can esily determine a site is secure when the URL starts with “https” and not just “http”.

OpenVPN has been ported and embedded to several systems. For example, DD-WRT has the OpenVPN server function. SoftEther VPN, a multi-protocol VPN server, has an implementation of OpenVPN protocol.

Private Tunnel VPN is a commercial spin-off of OpenVPN Technologies, a VPN service provider based in the US that, unusually, charges according to data transferred rather than per month.

Features of OpenVPN


OpenVPN uses the OpenSSL library to provide encryption of both the data and control channels. It lets OpenSSL do all the encryption and authentication work, allowing OpenVPN to use all the ciphers available in the OpenSSL package. It can also use the HMAC packet authentication feature to add an additional layer of security to the connection (referred to as an “HMAC Firewall” by the creator). It can also use hardware acceleration to get better encryption performance. Support for mbed TLS is available starting from version 2.3.


OpenVPN has several ways to authenticate peers with each other. OpenVPN offers pre-shared keys, certificate-based, and username/password-based authentication. Preshared secret key is the easiest; with certificate based being the most robust and feature-rich In version 2.0 username/password authentications can be enabled, either with or without certificates. However to make use of username/password authentications, OpenVPN depends on third-party modules.


SecurityOpenVPN can run over User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) transports, multiplexing created SSL tunnels on a single TCP/UDP port (RFC 3948 for UDP). From 2.3.x series on, OpenVPN fully supports IPv6 as protocol of the virtual network inside a tunnel and the OpenVPN applications can also establish connections via IPv6. It has the ability to work through most proxy servers (including HTTP) and is good at working through Network Address Translation (NAT) and getting out through firewalls. The server configuration has the ability to “push” certain network configuration options to the clients. These include IP addresses, routing commands, and a few connection options.

OpenVPN offers several internal security features. It has up to 256-bit Encryption through OpenSSL library although some service providers may offer lower rates effectively making the connection faster. It runs In userspace, instead of requiring IP stack (and therefore kernel) operation. OpenVPN has the ability to drop root priveledges, use mlockall to prevent swapping sensitive data to disk, enter a chroot jail after initialization and apply a SELinux context after initialization.

OpenVPN runs a custom security protocol based on SSL and TLS rather than support IKE, IPsec, L2TP or PPTP. OpenVPN offers support of smart cards via PKC#11 based cryptographic tokens.


OpenVPN can be extended with third-party plug-ins or scripts which can be called at defined entry points. The purpose of this is often to extend OpenVPN with more advanced logging, enhanced authentication with username and passwords, dynamic firewall updates, RADIUS integration and so on. The plug-ins are dynamically loadable modules, usually written in C, while the scripts interface can execute any scripts or binaries available to OpenVPN. In the OpenVPN source code there are some examples of such plug-ins, including a PAM authentication plug-in. Several third party plug-ins also exist to authenticate against LDAP or SQL databases such as SQLite and MySQL.


It is available on Solaris, Linus OpenBSD, FreeBSD, NetBSD QNX, Mac OS X, and Windows XP and Later. OpenVPN is available for mobile phone operating systems (OS) including Maemo, Windows Mobile 6.5 and below, IOS 3GS+ devices, jailbroken IOS 3.1.2+ devices, Android 4.0+ devices, and Android devices that have had the Cyanogenmod aftermarket firmware flashed or have the correct kernel module installed. It is not compatible with some mobile phone OSes, including Palm OS.


Posted in UncategorizedComments (3)


Share this page

Related Sites