OpenVPN 2024 is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.
OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it.
OpenVPN supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels.
OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms.
Overall, OpenVPN aims to offer many of the key features of IPSec but with a relatively lightweight footprint.
What can I use OpenVPN for?
- Tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port,
- Configure a scalable, load-balanced VPN server farm using one or more machines which can handle thousands of dynamic connections from incoming VPN clients,
- Use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic as it transits the internet,
- Use any cipher, key size, or HMAC digest (for datagram integrity checking) supported by the OpenSSL library,
- Choose between static-key based conventional encryption or certificate-based public key encryption,
- Use static, pre-shared keys or TLS-based dynamic key exchange,
- Use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization,
- Tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients,
- Tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules,
- Tunnel networks over NAT,
- Create secure ethernet bridges using virtual tap devices, and
- Control OpenVPN using a GUI on Windows or Mac OS X.
How do I set up OpenVPN?
- Download OpenVPN for your operating system
- Execute the download file to install the client on your computer
- Input url for OpenVPN server or drag and drop config file (you can try VPNBook)
What is the difference between OpenVPN and OpenVPN Connect?
OpenVPN is open source, completely free, and supported by the community. OpenVPN Connect is the commercial implementation of OpenVPN. OpenVPN Connect has a free version but this version is limited to two connections. Both have a similar GUI.
Is OpenVPN free?
Yes, OpenVPN is free and open source. It does require some configuring, but ultimately it has no cost for the user.
What's New
Security fixes:
- Windows Installer: fix CVE-2023-7235 where installing to a non-default directory could lead to a local privilege escalation. Reported by Will Dormann.
New features:
- Add support for building with mbedTLS 3.x.x
- New option --force-tls-key-material-export to only accept clients that can do TLS keying material export to generate session keys (mostly an internal option to better deal with TLS 1.0 PRF failures).
- Windows: bump vcpkg-ports/pkcs11-helper to 1.30
- Log incoming SSL alerts in easier to understand form and move logging from --verb 8 to --verb 3.
- protocol_dump(): add support for printing --tls-crypt packets
User visible changes:
- License change is now complete, and all code has been re-licensed under the new license (still GPLv2, but with new linking exception for Apache2 licensed code). See COPYING for details.
Code that could not be re-licensed has been removed or rewritten.
- The original code for the --tls-export-cert feature has been removed (due to the re-licensing effort) and rewritten without looking at the original code. Feature-compatibility has been tested by other developers, looking at both old and new code and documentation, so there *should* not be a user-visible change here.
- IPv6 route addition/deletion are now logged on the same level (3) as for IPv4. Previously IPv6 was always logged at --verb 1.
- Better handling of TLS 1.0 PRF failures in the underlying SSL library (e.g. on some FIPS builds) - this is now reported on startup, and clients before 2.6.0 that can not use TLS EKM to generate key material are rejected by the server. Also, error messages are improved to see what exactly failed.
Notable bug fixes:
- FreeBSD: for servers with multiple clients, reporting of peer traffic statistics would fail due to insufficient buffer space (Github: #487)
Windows MSI changes since 2.6.8:
- Security fix, see above
- Built against OpenSSL 3.2.0
- Included openvpn-gui updated to 11.47.0.0
- Windows GUI: always update tray icon on state change (Github: #669) (for persistent connection profiles, "connecting" state would not show)