What is OpenVPN & Key Limitations
OpenVPN is a twenty-year-old protocol for delivering remote access to protected networks. Available in many commercial and consumer VPN applications, OpenVPN is a simpler, more performant alternative to IPsec. Yet, OpenVPN suffers from the weaknesses inherent to all VPN technologies. It simply is not designed to handle the realities of today’s distributed, cloud-enabled networking ecosystem.
In this article, we will explain why OpenVPN and other VPN protocols are no longer suited to how the world works today. We will compare Twingate with OpenVPN’s legacy technology and show how our modern approach is more secure, more performant, easier to use, and more responsive to today’s dynamic business conditions.
OpenVPN is an open-source protocol for establishing virtual private network connections. First developed in 2001, the protocol’s configurability has led to widespread adoption by consumer and commercial VPN providers alike. The capabilities this protocol offers includes:
- SSL/TLS security through the OpenSSL library
- TCP/UDP tunneling
- Dynamic IP addressing and DHCP
- Native authentication through pre-shared keys or certificates
With twenty years of community development effort behind it, the OpenVPN protocol has been ported to a wide range of platforms including all major desktop and mobile operating systems. Open-source VPN router firmware projects such as DD-WRT have also integrated the OpenVPN protocol.
The project’s original developers also founded OpenVPN, Inc. to commercialize their protocol through two main product lines. OpenVPN Access Server is a Linux-based VPN solution for small and medium businesses. OpenVPN Cloud is a managed remote access service that lets companies avoid maintaining their own servers.
The VPN architecture that OpenVPN is based on is as old as the public internet. They were originally developed to provide secure, network-to-network connections over the internet. That fundamental concept remained as it evolved to support remote access features. As a result, VPN technologies create two major security weaknesses:
- Public visibility - All VPN gateways publish their presence on the internet, letting hackers monitor them for vulnerabilities.
- Network access - A compromised client device or VPN gateway gives hackers full access to the protected network.
Zero Trust Network Access solutions such as Twingate’s are designed for a networking environment in which nothing is reliably secure. Breaches could happen at any time — and may already be in progress.
Rather than defending entire networks, Twingate establishes software-defined perimeters around each resource, hiding it from public and private networks alike. Connections are only created once a user has been authenticated and authorized through role-based least-privilege access policies. Twingate’s Zero Trust solution dramatically reduces an organization’s attack surface and limits hackers’ abilities to move through a network.
At the heart of OpenVPN’s decades-old architecture is the assumption that a company’s resources, devices, and users are in the same physical location. Today’s internet-connected architectures make this secure perimeter paradigm obsolete. Resources and users could be anywhere. The OpenVPN protocol’s outdated model imposes severe performance penalties on company networks and the user experience.
- Network congestion - VPN gateways are bottlenecks through which all remote traffic flows. But gateway capacity is limited. Without expensive upgrades, the congestion caused by remote working impacts network performance.
- Network latency - Traffic flowing between remote users and cloud resources must pass through the VPN gateway. This two-step routing adds latency to users’ connections and undermines productivity.
Twingate eliminates these performance penalties by establishing direct, encrypted connections between user devices and resources. In addition, default split tunneling shifts non-essential user traffic to the public internet. Replacing legacy OpenVPN with Twingate’s Zero Trust solution lowers bandwidth demands on private networks and reduces the latency of user connections.
Whether using OpenVPN or other protocols, VPN-based remote access technologies are difficult to use and manage. End-users must frequently interact with the VPN client software. This is especially true when companies mitigate VPN’s weaknesses through network segmentation. Users must connect and disconnect their VPN each time they need a resource on a different subnet.
Since VPN is a remote access solution, it does not apply to on-premises workers. A company’s VPN system is also limited to protecting its private networks. Cloud platforms have their own VPN security systems. As a result, administrators must synchronize policies and permissions across these discrete various access control systems.
Twingate eliminates these sources of friction. No matter where users are, they get a better experience with a client app that works seamlessly with every resource. Administrators can use simple management consoles to apply consistent policies no matter where the user or resource is located.
OpenVPN and other legacy technologies integrate access control into the network architecture. This makes VPN more brittle and less responsive to changing business demands. Any changes to the network will impact access policies and vice versa. Ensuring that changes do not impact operations takes time and resources.
Twingate’s software-based solution decouples access control from the physical network. No new infrastructure or changes to configurations are needed. Network administrators can keep the existing network names and IP addresses. In addition, Twingate integrates with major identity providers and other elements of a company’s existing security stack.
Twingate customers have deployed their Zero Trust systems in as little as 15 minutes. Our service-based model removes much of the burden that VPN change management places on IT teams. As business demands evolve, easy-to-use consoles let administrators add, change, and remove user permissions with a few mouse clicks.
Like many open-source projects, the support for the OpenVPN protocol is a mix of community-driven forums and vendor-specific resources. This can get complicated since VPN vendors may modify their implementation of OpenVPN. For example, some vendors will use different encryption algorithms to improve performance on their OpenVPN servers. Identifying the best source for support in these cases is not always clear-cut.
Twingate customers have a single source for all their support needs. Individuals and small teams using our free Starter Tier can rely on a community forum focused on Twingate’s solution. Large teams and organizations using our paid tiers have direct access to Twingate’s support team.
Twingate’s modern, Zero Trust security solution delivers more than remote access control. You can enhance your organizations with additional capabilities including:
- Universal 2-factor authentication - Twingate integrates with 2FA providers and extends 2FA protection to any private resource. Without any settings changes, services such as SSH can get the same level of access control as databases and other resources.
- Device restrictions - Take access control beyond user identity by applying authorizations based on the posture of specific devices. As access requests are made, Twingate can evaluate the device’s security settings, operating system status, and other variables. Policies can limit or prohibit access based on the device’s real-time security posture.
- Activity logging - Twingate’s extensive logging gives administrators enterprise-wide visibility over how their networks are being used. All activity logs are indexed to the identity of each user and device to better establish baseline usage patterns and identify unusual activity.
- DNS filtering - Besides integrating with identity providers, Twingate is compatible with other security services such as DNS filtering to help protect users’ public internet access.
OpenVPN and other VPN protocols were developed in a networking world that no longer exists. Their reliance on the secure perimeter paradigm makes VPN solutions less secure, difficult to manage, and harder to scale. With fewer resources and users sitting in a company facility, the topology of VPN architectures imposes significant penalties on a company’s private network performance and user experience.
Twingate’s modern approach based on principles of Zero Trust eliminates the burden and friction of legacy technologies like OpenVPN. You can implement Twingate quickly without changing your network. Management becomes much simpler by consolidating control of access to all resources — no matter where they are located — within Twingate’s single, easy-to-use system. And Twingate improves security by reducing your company’s attack surface and taking away hackers’ ability to move laterally.
Contact us to learn more about Twingate’s Zero Trust solution. To get a zero-risk experience of Twingate in action, try out our new Starter service. Perfect for individuals and small teams, this free service lets you provide up to 5 users remote access to a private network.