OpenVPN is a well-respected, free, open source Virtual Private Network (VPN) solution. It works on most versions of Windows (Windows Vista support is expected soon), Mac OS X and Linux. OpenVPN is SSL-based, which means it uses the same type of encryption that is used when visiting secure Web sites where the URL starts with https.
|Supported operating system|
|Localization||English, German, Italian, French and Spanish|
OpenVPN is not suitable for temporary use in Internet cafés or elsewhere on shared computers where you can't install additional software.
For a more general presentation of VPNs and ready-to-use VPN services, read the "VPN Services" chapter in this manual.
In an OpenVPN system, there is one computer set up as a server (in an unrestricted location), and one or more clients. The server must be set up to be accessible from the Internet, not blocked by a firewall and with a publicly routable IP address (in some places, the person establishing the server may have to request this from their ISP). Each client connects to the server and creates a VPN tunnel through which traffic from the client can pass.
There are commercial OpenVPN providers such as WiTopia (http://witopia.net/personalmore.html) where you can purchase access to an OpenVPN server for a fee of about 5-10 US dollars a month. These providers will also help you install and configure OpenVPN on your computer. A list of such commercial providers is available at http://en.cship.org/wiki/VPN.
OpenVPN also can be used by a trusted contact in an unfiltered location, providing an OpenVPN server to one or more clients and passing their traffic to his/her computer before continuing on to the Internet. Setting this up correctly is somewhat complicated, however.
Tips for setting up OpenVPN
To setup your own OpenVPN server and client, follow the documentation provided by OpenVPN (http://openvpn.net/index.php/documentation/howto.html). If you want to use OpenVPN to visit blocked Web sites, the following notes are important:
There is a graphical user interface (GUI) available for Windows which will make it easy to start and stop OpenVPN as required, and also enables you to configure OpenVPN to use an HTTP proxy to get onto the Internet. To download the GUI go to http://openvpn.se.
To configure OpenVPN to use a proxy server in Linux or Mac OS X, read the relevant section on the Web site (http://openvpn.net/index.php/documentation/howto.html#http).
- When choosing between routing and bridging, there is no additional advantage in configuring bridging when your clients just want to use it to bypass Internet censorship. Choose routing.
- Pay special attention to the section of the guide that explains how to ensure that all traffic from the client is passed through the server. Without this configuration the system will not help you to visit blocked Web pages (http://openvpn.net/index.php/documentation/howto.html#redirect).
- If the client computer is behind a very restrictive firewall, and the default OpenVPN port is blocked, it is possible to change the port that OpenVPN uses. One option is to use port 443, which is normally used for secure websites (HTTPS), and to switch to TCP protocol instead of UDP. In this configuration, it is difficult for firewall operators to differentiate between OpenVPN traffic and normal secure Web traffic. To do this, near the top of the configuration files on both the client and server, replace "proto udp" with "proto tcp" and "port 1194" with "port 443".
Advantages and risks
Once it is set up and configured correctly, OpenVPN can provide an effective way to bypass Internet filters. Since all traffic is encrypted between the client and the server, and can pass through a single port, it is very difficult to distinguish from any other secure Web traffic, such as data going to an online shopping site or other encrypted services.
OpenVPN can be used for all Internet traffic, including Web traffic, e-mail, instant messaging and VoIP.
OpenVPN also provides a degree of protection against surveillance, as long as you can trust the owner of the OpenVPN server, and you have followed the instructions in the OpenVPN documentation on how to handle the certificates and keys used. Remember that traffic is only encrypted as far as the OpenVPN server, after which it passes unencrypted onto the Internet.
The primary disadvantage of OpenVPN is the difficulty of installation and configuration. It also requires access to a server in an unrestricted location. OpenVPN also does not reliably provide anonymity.