What are the downsides of OpenVPN?

28

5

I have been seeing so many people always wrestling with IPSec, and many other secure VPN technologies. I, for one, have always simply used OpenVPN, with beautiful and simple and versatile results. I've used it on DD-WRT routers, big servers and android phones, to name a few.

Could someone please explain to me what I am missing out on? Are there any downsides to OpenVPN that I am not aware of? Does IPSec and friends offer some awesome feature that I didn't know about? Why isn't everyone using OpenVPN?

user1056

Posted 2013-05-26T19:42:50.340

Reputation: 143

Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer. – Ron Maupin – 2017-08-09T15:41:15.373

Answers

18

IMHO, the biggest disadvantage to OpenVPN is that it's not interoperable with the vast majority of products from "big name" network vendors out there. Cisco & Juniper's security and router products don't support it - they only support IPsec and proprietary SSL VPNs. Palo Alto, Fortinet, Check Point, etc. don't support it, either. So, if your organization / enterprise wants to setup a site-to-site extranet VPN to another company and you've only got an OpenVPN appliance, you're probably going to be out of luck.

That being said, some network hardware & software companies are starting to embrace OpenVPN. MikroTik is one of them. It's been supported since RouterOS 3.x:

http://wiki.mikrotik.com/wiki/OpenVPN

Also, for the longest time the only way to run an OpenVPN client on Apple's iOS required jailbreaking. This is not so, anymore:

https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8

Overall, the situation is improving. However, without vendors like Cisco & Juniper implementing it in their products, I can't see large enterprises adopting it without facing interoperability problems.

Mark Kamichoff

Posted 2013-05-26T19:42:50.340

Reputation: 196

As well as Mikrotik OpenVPN is in (and has been in for a while now) pfSense http://www.pfsense.org/ (Although I don't believe you can create site-to-site tunnels with it, maybe through the CLI?

– jwbensley – 2013-05-28T09:04:52.610

I didn't know their was an OpenVPN IOS app, yay! – zevlag – 2013-05-30T15:45:00.550

5

IPSEC is standard. Almost every networking vendor supports it. You can't achieve the same level of interoperability between routers with OpenVPN.

As David said, nothing is wrong with OpenVPN for a client VPN solution. For site to site VPN's or infrastructure solutions I'd pick IPSEC VPN.

sergejv

Posted 2013-05-26T19:42:50.340

Reputation: 91

4

One of the downsides is that in a corporate environment some managers don't like to rely on open source software.

I personally see nothing wrong with OpenVPN for a user VPN solution.

IPSEC can be implemented in hardware (or rather the encryption element of IPSEC) and so is useful when you want to push a lot of data over a VPN and don't want to sacrifice CPU power on the end user stations.

David Rothera

Posted 2013-05-26T19:42:50.340

Reputation: 2 568

There are fully-in-hardware IPsec solutions. However they're a) expensive, and b) almost always windows (server) proprietary. (crypto in-line with the NIC [cavium], or built directly into the nic [intel]) – Ricky Beam – 2013-05-26T21:42:03.297

I was referring more to the likes of the ASA's that do crypto in hardware. – David Rothera – 2013-05-26T21:50:07.910

I was thinking a NIC that does it. A lot of router/firewall hardware have crypto chips these days. (key steup being the very expensive part, 'tho the anemic processors used in most routers need it for traffic as well) – Ricky Beam – 2013-05-26T22:40:09.087

I think the IPSEC in hardware point is a massive plus for IPSEC. OpenVPN used to be (and I believe it still is, but I can't find any definitive documentation either way) single threaded. Assisting in the initial investigation of a commercial VPN company starting up, it was abandoned because OpenVPN wasn't going to be fast enough. See this ServerFault answer for some insight (its more about concurrent connections); http://serverfault.com/questions/439848/openvpn-performance-how-many-concurrent-clients-are-possible Speed may not be that important for you, we were looking at selling 100Mbps VPNS.

– jwbensley – 2013-05-28T09:15:30.133

1

  • OpenVPN has a more secure implementation (Userspace vs Kernel).

  • It works better with Firewalls and NAT (no need to ensure NAT-T) and is difficult to filter.

  • It is a lot less complicated then IPsec

hyussuf

Posted 2013-05-26T19:42:50.340

Reputation: 302

3The questing is asking about the downsides of OpenVPN... – tegbains – 2013-05-27T05:27:47.583

User space is not inherently more secure than kernel space, and security is best decided by review and testing -- one is standardized for a reason. – mikebabcock – 2013-05-29T20:53:09.073

2

Actually it is. implementing VPN in user-space is more secure from a systems perspective than in the kernel. for more details have a look at this SANS paper about SSL based VPNS http://www.sans.org/reading_room/whitepapers/vpns/openvpn-ssl-vpn-revolution_1459

– hyussuf – 2013-05-30T22:36:12.920

Things have evolved somewhat since this answer was originally posted; in particular, the Heartbleed vulnerability in 2014 has unfortunately reminded us all how deep vulnerabilities on OpenSSL can affect the whole OpenVPN. It also demonstrated that running in userspace don't make attacks less critical, given that VPN softwares have a very high probability of being in contact in highly sensitive content, often tracing the path to acquire root privilege on the VPN's machine and/or other machines around. Finally, most corporate firewall solutions now block OpenVPN through Deep Packet Inspection… – jwatkins – 2016-07-19T18:37:42.103

1

I prefer IPSec almost every time because I'm familiar with it and it just always works. Being standards based, its supported by nearly everything, from phones and tablets to Windows and Linux machines and it has useful features like NAT support and dead peer detection.

FYI I use primarily Openswan on Linux.

One of the major security reasons we prefer IPSec is rotating session keys. OpenVPN may have implemented this (but I don't see it). This means that an attacker who passively captures data long-term can't brute-force the entire communication log at once, but only each individual session key's worth.

mikebabcock

Posted 2013-05-26T19:42:50.340

Reputation: 111

Just as a comparison, OpenVPN also works through NAT, and is supported on PC, phones and tables (Windows, Mac OS X, Linux, BSD, Android, iOS, and so on). – jwbensley – 2013-05-28T09:02:40.613

I meant built-in support, perhaps not obviously @javano – mikebabcock – 2013-05-29T20:54:48.923

I'm going to assume you've never used OpenVPN. No one who has used OpenVPN and IPsec will choose IPsec because it "just always works". Among OpenVPN's biggest advantages are it's drastically reduced complexity and easy of troubleshooting. I saw this as someone who converted hundreds of remote Linux appliances (living at customer sites) from IPsec to OpenVPN some years ago. IPsec is good if you have to connect to something you don't manage/control that only supports IPsec. OpenVPN is a better choice in almost every other case. – Christopher Cashell – 2016-05-27T16:39:54.337

1

OpenVPN does not have certain regulatory certifications, like FIPS 140-2 support.

awh

Posted 2013-05-26T19:42:50.340

Reputation: 31

1There actually is FIPS 140-2 support possible with OpenVPN...there was a certified build of openssl and patches to OpenVPN to use it in a certified way...we're doing exactly that, in fact. – Jeff McAdams – 2013-05-26T21:57:35.520

0

The only technical downside to OpenVPN I see is that in comparison with it's competitors the system introduces a lot of latency in the VPN links. Update: I've found that this was a fault not with OpenVPN generally, but with my tests only. When OpenVPN is run on the TCP protocol, the TCP overheads makes OpenVPN slightly slower. L2TP uses fixed ports and protocols for interoperability and hence there is no feature to run it on TCP. Openvpn on UDP seems to be faster for many other users.

The only other advantage while using PPTP/L2TP/Ipsec is that I've found it easier to be setup on a Windows machine or an iPhone without installing any additional client side software. YMMV.

You might want to read this page

Surajram Kumaravel

Posted 2013-05-26T19:42:50.340

Reputation: 449

1Where I work, we use OpenVPN quite a lot and are unaware of additional latency concerns because of it. Can you elaborate on the nature of that? – Jeff McAdams – 2013-05-26T20:32:09.487

I tested OpenVPN, L2TP and PPTP when trying to encrypt a connection to my VoIP server while using softphones on remote workstations. I found OpenVPN introduced the most latency and PPTP was the fastest. Eventually I went with L2TP.

The latency issues showed up only on a few poor 3G networks, but even on the same networks L2TP seemed to work fine. – Surajram Kumaravel – 2013-05-26T20:59:47.843

Reading http://www.ivpn.net/pptp-vs-l2tp-vs-openvpn makes me think this was a specific issue with my setup and not a general problem. Thanks for helping me realize that Jeff!

– Surajram Kumaravel – 2013-05-26T21:34:26.993

0

OpenVPN has a spoke layout, so all communication would need to route through the main server. Tinc-VPN can do routing between different sites. You can read this blog: http://www.allsundry.com/2011/04/10/tinc-better-than-openvpn/

PokerFace

Posted 2013-05-26T19:42:50.340

Reputation: 101