Talk:OpenVPN

Latest comment: 3 years ago by 68.206.248.178 in topic Could the Lede be Dumbed-down?

OpenVPN protocol

edit

I had added the text "OpenVPN runs a custom security protocol based on SSL and TLS. Since it is an unpublished protocol nothing is known of its security.", and I've seen it was reverted. Are there any facts against my comment? Has the openvpn protocol ever been published? (except for source code) — Preceding unsigned comment added by 134.58.253.57 (talk) 10:04, 28 September 2011 (UTC)Reply

The OpenVPN protocol is heavily based upon the SSL/TLS protocol. But it adds a few extra bytes to each packet to support SSL/TLS over UDP. The SSL/TLS protocol is designed to be used with TCP, where the TCP protocol takes care of the connection state (SYN/SYNACK/ACK/FIN). TCP also have mechanisms for handling packet replays (packet order and resending of lost packets). UDP is lacking these features, and UDP is far more suitable for VPN than UDP (See the article "Why TCP Over TCP Is A Bad Idea"[1] and this note[2] from James Yonan for more info). The OpenVPN protocol also adds an additional layer of HMAC authentication (via the --tls-auth option) on top of the SSL/TLS packets. Except of these differences, the OpenVPN protocol is pretty much standard SSL/TLS. For more info, please contact the developers on #openvpn-devel @ FreeNode (Thursdays James Yonan is also often availble). The protocol itself is documented here: http://openvpn.net/index.php/open-source/documentation/security-overview.html ... kind regards, David Sommerseth — Preceding unsigned comment added by 84.208.197.30 (talk) 19:37, 10 October 2011 (UTC)Reply

References

What you describe is not a trivial change and the description in the web page you describe is really terse. Check for example the Datagram TLS (DTLS) description, an IETF protocol, which does exactly what you are trying to do. Why not use that protocol instead of a custom? Nmav (talk) 20:09, 15 October 2011 (UTC)Reply
I never said it was a trivial change. However, the DTLS protocol might have been a good option if it had been available and documented in 2002 when the first OpenVPN version was released. (The DTLS RFC was released in 2006) It has been important for OpenVPN to stay as compatible to older versions as possible so far, which is why this has not been implemented. But this is something to bring into the roadmap discussions for OpenVPN3, where it is being considered to change the current protocol. Kind regards, David Sommerseth 90.152.67.58 (talk) 12:49, 4 November 2011 (UTC)Reply

OpenVPN Access Server License Confusion

edit

A recent edit added "(free for 2 concurrent users only)" which is incorrect. OpenVPN is free software. I believe the editor confused the OpenVPN Access Server license with the license for OpenVPN itself. It was a good faith edit but incorrect. Therefore I think the addition simply needs to be removed. WinterTree7 (talk) 09:40, 13 December 2009 (UTC)Reply

I've reverted the change, changed the links to point at http://openvpn.net/index.php/open-source.html (the closest thing to a project homepage, instead of openvpn.net which appears to be the company homepage), and removed the link to OpenVPN-AS which were causing confusion (I think there should be a section on OpenVPN-AS to reduce confusion, but until then, removing the links is the best solution I can think of).
I'm not sure how they manage to place restrictions on OpenVPN-AS when many libraries they use (not only OpenVPN) are GPLv2, but I can't be bothered and it's beyond the scope of this talk page. ⇌Elektron 13:44, 13 December 2009 (UTC)Reply

Infobox

edit

OpenVPN needed a {{Infobox software}}, so I added one. I was too lazy to download the logo graphic; could someone else upload to commons if it's not already there, and add it to the infobox? --Teratornis 02:31, 12 March 2007 (UTC)Reply

I just uploaded the OpenVPN logo graphic to Wikimedia commons and then added it here in the OpenVPN article infobox. Marycontrary 23:24, 12 March 2007 (UTC)Reply

Creator

edit

Is it really necessary to have a link for James Yonan? It goes back to the OpenVPN article, seems rather pointless to me. KyjL (talk) 18:28, 4 February 2008 (UTC)Reply

Pictures, please

edit

Please provide charts/diagrams that make the structure of an OpenVPN network understandable at one sight. Is it more peer to peer focussed? Or server-client? Or can I run a whole net like with hamashi or i2p? —Preceding unsigned comment added by 84.60.45.167 (talk) 11:25, 18 February 2008 (UTC)Reply

uses

edit

can this be used for games - to play to LAN? —Preceding unsigned comment added by 69.63.51.189 (talk) 17:56, 13 September 2008 (UTC)Reply

Long answer: Yes it can, given that OpenVPN even supports layer 2 ethernet "tapping" and not only tunneling, you should actually have the identical situation as if the dialed in host were in the network (besides the obvious lag, bandwidth sharing, etc..). So you can even play games that are based on discovering servers with Ethernet Broadcast and even non-IP protocols like IPX should be possible (aforementioned cases are true for many old games like Starcraft 1 before the UDP patch, etc.) - if OpenVPN is setup correctly to do that. However, the idea of a VPN in the first place is to provide such a situation, so it is not specific to OpenVPN but to all VPN solutions, such that the possibility to use OpenVPN for lanplay should not be mentioned here but in the general VPN article. Speaking of that, there is even a sentence right now mentioning that in the article intro, which imho should be [removed/moved to VPN].
Short answer: Yes, but all VPNs can do that, not only OpenVPN, so that it should only be mentioned in the general VPN article and not here (imho)--Methossant (talk) 04:24, 18 March 2011 (UTC)Reply


I agree:
it should only be mentioned in the general VPN article and not here (imho)
Removing this content.
96.37.45.232 (talk) 01:50, 16 August 2011 (UTC)Reply

Mobile

edit

I think the current "While most mobile phone OSes (iOS, Palm OS, etc) do not support OpenVPN, it is available for Maemo,[14] Windows Mobile 6.5 and below [15], and Android devices which have had the Cyanogenmod aftermarket firmware flashed[16] or have the correct kernel module installed." Should be more accurately "While most mobile devices do not officially support OpenVPN, it is possible to install on most devices including Maemo, Meego, Android, iOS, WebOS, Windows Mobile 6.5 and below." At least on iOS and Android it does require rooting/jailbraking which should probably be reflected in the article. Meego and Maemo should support it without hacking. --91.152.78.150 (talk) 12:25, 10 June 2011 (UTC)Reply

Is this *not* a standard?

edit

OpenVPN's overview starts by noting that "OpenVPN is a full-featured open source SSL VPN solution". Is this any different than anyone else's SSL VPN, like the ones in Juniper gear or the Cisco 5505? Could an OpenVPN desktop client talk to a 5505? Maury Markowitz (talk) 18:54, 23 March 2012 (UTC)Reply

This isn't a support page. But to quickly clarify this, OpenVPN uses it's own protocol over SSL, just as Juniper and Cisco. So OpenVPN, Junipier and Cisco SSL based VPNs are not compatible at all. But as OpenVPN is open source, the protocol is also open and other open source project may implement their own VPN software which can become compatible with OpenVPN. Kind regards David Sommerseth — Preceding unsigned comment added by 84.208.197.30 (talk) 09:06, 25 April 2012 (UTC)Reply

Major Bug (probably with OpenVPN)

edit

I followed http://www.vpnbook.com/howto/setup-openvpn-on-windowsxp Visited openvpn.net downloaded and after installed openvpn-client.msi as the guide above shows. Setup and connected with a new ip via vpnbook-euro1-443 server config.

I then as always with any net connection change visit the only place every one should grc.com and test with shields up.

Problem I found they are now three ports open where before openvpn-vpnbook setup there were no ports open. Ports now open are 80, 443 and I think also was 123 cannot check as have uninstalled all the above for security sake. That no port should ever be open 80 and 443 red totally open and exposed to all attacks. Port 123 (i think it was 123) was blue but not green, all ports should be green.

So before you make another release maybe you should check with grc.com also. No doubt many people are using the software but mabe they were all secure before are sure not secure now. Shut the (port) doors tight forever please don't leave them open to abuse. Make it obvious in the change log so we all know this fix is fixed. Pu in place a check so it never happens again.

If is not openvpn-client.msi at fault and somehow vpnbook.com profiles please make sure vpnboo.com fix these problems. Though I guess 100% it is openvpn-client.msi that is at fault since vpnbook would be only server settings and security keys as a guess. And the reason I have not contacted vpnbook about this as 100% sure it is the openvpn-client.msi that is at fault.

Why write here because there is no other way to contact you to report this. If you know of this problem you would have said correct ? If you do and have not then this software is worth 0% out of 9999999999999999999999999*9google_infinitives%. Lets say you didn't know and now you do. Better is to get rid of that trac bugcraptrac or at least let everyone report without needing to join. Heck who wants to join to report a bug, such as this used software only to know it is insecure. Do you think I'm really wanting to use it further as it is. Do you think even if it was ok I would join to give bug reports to all of these the answer is no. So better to make bug report and more open as the software is. You cannot be half open, it is all or nothing decision needed.

Yes this is the way it with people think of the thousands of softwares that are released. If one person installs 100 a year is something else. Lets say 30 of those have problem do you actually think people are going to join trac, boards or other to report. No they may visit to tell you but that is it for the many will think heck not bothering with that. Make it easy for us and we will help you.

Take this one as something special since no further feedback if I ever use openvpn again will ever come from me. Not until you change the software and make available free open bug reports with need to join, registration and all that crap

Hope this help if not visit grc.com yourself and figure what is wrong with openvpn-client.msi install. And I guess will affect all installs that openvpn.net has not just this one. 78.150.249.197 (talk) — Preceding undated comment added 22:11, 20 April 2014 (UTC)Reply

How openvpn (2.3.x) select the default address/interface to reply?

edit

Hello everyone, could somebody summarize which is the mechanism that select the interface/ip through which a openvpn server replies? Because if i have two internet connections on a openwrt (version 12.09) system, and related to those connections i have two default rules with different metrics (let's say: wan1 metric 10 and wan2 metric 20), then even if i reach the openvpn server port through the connection 'wan2', the openvpn server selects the connection 'wan1' to reply. And this surprise me. If a summary is too difficult, even pointing out a source where i can read this would be helpful. My searches through search engines were not fruitful. Many thanks. --Pier4r (talk) 15:29, 26 March 2015 (UTC)Reply

edit

I got a popup warning in Windows asking me to install it. ...this seems like a gibberish "blue sea," like an ad to SysAdmins,...thus this article does not meet Wiki guidlines. Some examples from the lede, which should be especially non-technical and Big-Picture:

"OpenVPN is open-source commercial[11] software that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol[12] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).[13] 

OpenVPN allows peers to authenticate each other using pre-shared secret keys, certificates or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signatures and certificate authority. It uses the OpenSSL encryption library extensively, as well as the TLS protocol, and contains many security and control features.

OpenVPN has been ported and embedded to several systems. For example, DD-WRT has the OpenVPN server function. SoftEther VPN, a multi-protocol VPN server, also has an implementation of OpenVPN protocol.

Please See: MOS:JARGON: "Some topics are intrinsically technical, but editors should try to make them understandable to as many readers as possible. Minimize jargon, or at least explain it or tag it using the Technical tag or [jargon] for other editors to fix.   For unavoidably technical articles, a separate introductory article (like Introduction to general relativity) may be the best solution.   Avoid excessive wikilinking (linking within Wikipedia) as a substitute for parenthetic explanations such as the one in this sentence.
Do not introduce new and specialized words simply to teach them to the reader when more common alternatives will do.   When the notions named by jargon are too complex to explain concisely in a few parenthetical words, write one level down."
... etc
--2602:306:CFCE:1EE0:58FD:E028:ECB9:4AE (talk) 20:57, 22 May 2020 (UTC) Just SayingReply

Could the Lede be Dumbed-down?

edit

I and most everyone else understands what a "VPN" is. The Lede seems to indicate OpenVPN is something different, else why would people pay money for a Private VPN (Nord, PIA, etc...). In practical terms that a layperson can understand, what is the difference between OpenVPN and something you pay for? The Lede should make this contrast/distinction immediately before going straight to the technical stuff most people will never understand.68.206.248.178 (talk) 02:41, 25 April 2021 (UTC)Reply