The OpenVPN protocol is widely used for both consumer and enterprise VPNs. It’s an open-source protocol which makes it freely available (which explains its popularity). The code is also subject to review by cybersecurity specialists, which makes it anti-fragile.
But what is OpenVPN, how secure is it, and how does it compare to other VPN protocols?
In this article, we’ll cover:
- The basics of OpenVPN
- Supported encryption libraries
- OpenVPN TCP vs. UDP
- OpenVPN Security (is it safe?)
- Device Support
- OpenVPN vs other protocls
- VPNs that support OpenVPN
What is OpenVPN
OpenVPN is a VPN protocol, that includes both VPN client and VPN server functionality. A protocol is simply a set of rules that control a specific interaction (in this case, a VPN connection).
OpenVPN is open-source, which means its code is freely available to be inspected, redistributed, or modified. This allows bug-hunting to be crowdsourced, which should theoretically decrease the risk of significant bugs or security flaws.
Because it’s open-source, many VPN providers have elected to integrate the OpenVPN protocol into their service. Many build a custom VPN Client around OpenVPN, often with extra features like a kill-switch or SmartDNS.
OpenVPN allows a high degree of flexibility in terms of how the protocol is implemented. For example, it supports the full OpenSSL cipher library which includes multiple ciphers of various encryption strength. VPN Providers can choose any, all, or just one of these.
Similarly, there are multiple authentication methods for preventing man-in-the-middle attacks such as bit-flipping. The industry standard is SHA-256 Authentication, but OpenVPN lets you choose from multiple options, all the way up to SHA512.
Unlike other protocols, OpenVPN isn’t limited to specific OS’s or hardware. It can run on almost any platform as long as the OS/Firmware implements OpenVPN.
Here’s a partial list of devices at OS’s that use OpenVPN
- Computers: Windows/Mac/Linux
- Mobile: iOS, Android, Windows Phone
- Routers: DDWRT, Tomato and ASUSWRT firmware
Here are some important features of the OpenVPN protocol:
- OpenVPN uses a client/server architecture (both are open-source)
- It runs over either TCP or UDP
- Supports IPv6
- Can push custom configurations to the VPN client
- Official port number is 1194 but may also listen on other ports including 443
TCP vs. UDP
Your VPN provider may offer multiple configuration options, including which protocol OpenVPN will use, TCP or UDP.
Here’s a quick breakdown of the differences:
OpenVPN TCP (Transmission Control Protocol): delivers packets in sequence, and validates to receipt of each data packet. Lost packets must be resent. TCP is best for circumstances where file integrity matters1 (web pages, file transfers).
OpenVPN UDP (User Datagram Protocol): UDP doesn’t require that data packets be delivered in sequence or re-sent if lost. It is perfect for high-bandwidth uses like gaming or streaming video2.
For most VPN uses, UDP will be the better choice, especially if speed is a priority (e.g. streaming). UDP is also a better choice for low-bandwidth internet connections. OpenVPN over TCP can suffer from TCP Meltdown if your connection is too slow or unreliable.
OpenVPN Security & Privacy
OpenVPN is a highly secure protocol and uses a NIST-approved cipher library for encryption. This includes the AES encryption standard trusted by the US government for security-critical communications.
Is OpenVPN Secure? Yes. OpenVPN is extremely secure. When properly implemented, it is effectively invincible to brute-force and man-in-the-middle attacks.
OpenVPN supports encryption keys up to 256-bit for the tunnel encryption and 4096-bit keys for authentication.
Most implementations use either 128-bit (faster) or 256-bit (stronger) the VPN tunnel, but other key strengths are possible.
Supported cipher suites include: AES (industry standard), CBC & GCM.
All of these options are considered secure. It’s up to your VPN provider to determine which is the best fit based on customer needs and their server architecture.
OpenVPN uses industry-standard best practices regarding privacy. Like all VPNs, OpenVPN hides the client’s real IP address from the remote server (e.g. a website you’re visiting). But that’s just the beginning.
OpenVPN uses Diffie-Hellman key exchanges to ensure forward secrecy. This means that if the encryption key is compromised for one VPN sessions, it won’t allow the decryption of any past or future VPN sessions.
OpenVPN is supported by a wide range of devices and operating systems, including computers, smartphones, tables, routers and even NAS drives.
Here’s a detailed look at platform support:
- PC: Windows (since XP). MacOS, Linux
- Mobile: iOS, Android
- Router Firmware: DD-WRT, Tomato, OpenWRT, ASUSWRT, Synology
Beyond OS-level support, there are multiple 3rd-party OpenVPN clients available for both desktop and mobile OS’s. Popular clients include: Viscosity & Tunnelblick (MacOS).
And it doesn’t stop there. Many of the top VPN providers also offer a custom, proprietary VPN client with integrated OpenVPN (sometimes alongside other protocols).
These clients extend the native capabilities of OpenVPN even further, adding advanced functionality like:
- auto-connect on untrusted wifi
- encrypted DNS
- app-level kill-switch
- VPN over Tor
- and double-hop (multi-server) connections
- stealth mode
How OpenVPN compares to other protocols
OpenVPN isn’t the only VPN protocol. There are several others still in use such as L2TP/IPSec, SSTP, and Softether. Legacy protocols like PPTP have fallen out of favor and newcomer Wireguard has surged in popularity.
Is OpenVPN the best VPN protocol?
For many use cases, OpenVPN is the best choice, simply because it is the most common. OpenVPN has the best device support, the greatest choice of VPN services and clients, and more than a decade of proven security.
The primary alternatives worth considering are L2TP, which is a well-known and trusted protocol and Wireguard which, while new, has seen strong adoption in the industry thanks to its blend of speed and security.
|PPTP||No longer considered secure, limited device support and encryption options. Ok for low-security uses like streaming.|
|L2TP/IPsec||Decent device support but less provider support than OpenVPN. Strong, secure encryption with average speds|
|OpenVPN||The most flexible protocol with great device support. Available from nearly all VPN providers, often with added features. Adjustable encryption to balance speed vs security.|
|Wireguard||The leanest VPN code base. Outperforms OpenVPN head-to-head on speed. Considered secure by cryptographers but it is new and doesn’t have the track record.|
Which VPNs support OpenVPN
Nearly every major consumer-grade VPN supports the OpenVPN protocol. In fact, you’d be hard-pressed to find a single reputable VPN that doesn’t.
Every VPN that we’ve tested and reviewed here on VPN University offers full OpenVPN support, often with flexible encryption and multiple server locations.
Here’s a short list of VPNs that support openVPN:
- Private Internet Access
OpenVPN Setup Guides:
Learn how to configure OpenVPN on a range of devices:
- OpenVPN Client GUI (Windows, Mac, Android)
- AsusWRT (Asus routers)
- Tunnelblick (Mac)
- DD-WRT (DDWRT routers)