OpenVPN is a program to set up a virtual private network (VPN ) over an encrypted TLS connection. For encryption, the libraries of the program OpenSSL can be used. OpenVPN uses either UDP or TCP for transport.

OpenVPN is free software under the GNU GPL and supports the operating systems Linux, Solaris, OpenBSD, FreeBSD, NetBSD, Mac OS X, QNX, Windows 2000/XP/Vista/7, Android, iOS, Maemo and MeeGo, and the router OpenWRT Linux, continue to be customized implementations for a variety of Linux - based devices, such as set-top boxes of the company Dream Multimedia or router for the FRITZ! - line of the company AVM available.

  • 3.1 Pre-shared Key
  • 3.2 User Name / Password
  • 3.3 Certificate-based
  • 4.1 Windows
  • 4.2 Mac OS X
  • IOS 4.3
  • 4.4 Linux
  • 4.5 OpenWRT
  • 4.6 Fritz!
  • 4.7 Dreambox
  • Android 4.8
  • 4.9 Maemo


Often is a secure, third parties will not readable communication may be performed over an insecure network. Such an insecure network is as the Internet or a local non-encrypted wireless LAN. Two aspects are important: A sufficient encryption of communication content and the authentication of the communication partners involved.

These safety properties can by appropriate protocols (eg SSH, HTTPS, SFTP) are provided by each application. Alternatively, this safety also from a central location, regardless of the different applications may be desirable. The advantages of this approach are central in the only time implementation of security features to secure the lower maintenance costs and the possibility of the communication of third-party software, on which there is no influence.

Such centrally -provided security is a Virtual Private Network (VPN). OpenVPN represents one of many implementations of VPNs


Communication partners can be a single computer or a network of computers. Typical applications are the connection of individual sales representatives in the network of your company, connecting a branch to the data center or the connection of geographically distributed servers or data centers with each other. In any case, building one of the two communication participants a connection ( client), and the other waits for incoming connections ( Server). For this, the server is under a fixed IP address or a fixed host name must be addressable. This can be for computers that are faced due to dial-up with constantly changing IP addresses, also take place using a dynamic DNS service.

Located in front of the VPN gateway is a packet filter or proxy, or is an address translation (NAT) is performed, these services must be configured so that in the configuration of OpenVPN to forgiving UDP or TCP port (usually from 5000 upwards, Standard from OpenVPN 2.0 is 1194/UDP ) is transmitted specifically for input, forward and output.

OpenVPN has two modes of operation: routing and bridging.


The routing mode is the simplest form of secure communication and establishes an encrypted tunnel between two remote sites, be passed over the only IP packets ( Layer 3). For this, each peer is a virtual IP address of a fictitious subnet assigned (eg, and ).

Access to the network behind it is basically not possible directly (point- to-point connection). To reach the local addresses, the remote site, the data packets using IP forwarding and entries must continue to teach in the routing table.


In contrast to routing a complete tunneling of Ethernet frames (Layer 2 ) is possible in bridging mode. It thus allows for example, the use of alternative protocols such as IPX and sending Wake-On- LAN packets.

A client integrates fully transparent to the dial-up network and receives an IP address of the local subnet assigned, so that broadcasts are forwarded. The latter is necessary in particular for automatic Windows name resolution of the SMB protocol.

To be able to tap into the existing subnet must have the virtual network adapter used by OpenVPN, called the TAP device to be connected via a network bridge with the actual network.

Bridging is slightly less efficient than routing ( poor scalability ) and is susceptible to IP address conflicts. In addition, a limitation of the client access more difficult to achieve than in the routing.


For authentication, OpenVPN provides several methods are available:

Pre-shared Key

When replacing a "pre -shared key " ( a static key / password ), the data with this encrypted and decrypted. The method is easy to apply. However, there is the disadvantage that the key does not get lost or may be compromised. In this case, a new key must be distributed to all the communication partner. Therefore, one should choose a "trusted " installation (eg PGP Disk container), thereby protecting the key is guaranteed. The key can be exchanged through an automated process through ongoing connection.

User Name / Password

About an individual user name and password access to the network is limited. However, this is vulnerable to man-in- the-middle attacks.


When using certificate-based authentication via the TLS protocol private and public key pairs or X.509 certificates are used.

The server and each user each have their own certificate (public / private). The OpenVPN server only allows connections that are signed by a certificate authority known to him. OpenVPN includes scripts that allow the easy creation of certificates without further knowledge ( easy-rsa ).

To establish a connection, the client sends data to the server ( SSL version and random data). The server sends the same data and its certificate back. The client authorizes the certificate. For two-sided authentication, the client also sends its certificate to the server. If the inspection work out, the client creates the "pre -master secret" and encrypts it with the public key of the server. The server decrypts the data using its private key and creates the " master secret". This session keys are created. These are one-time key, the data is encrypted and decrypted will be with them. The client tells the server that from now, all data will be encrypted with the session key. The server acknowledges this, the tunnel is established. After a certain period of time OpenVPN replaces the session key automatically.

Certificate-based authentication is regarded as the safest form of registration. To increase security, it is advisable to outsource the certificates on a smart card. OpenVPN supports all cards to via Windows CryptoAPI or PKCS # 11 can be accessed.


For OpenVPN there is next to the command line several graphical front ends. So there is, for example:

  • OpenVPN GUI for Windows,
  • Tunnelblick for Mac OS X,
  • OpenVPN -Admin, a program written in Mono frontend based on the C # language,
  • KVpnc, one integrated into the K Desktop Environment application, as well as
  • Integration into Network Manager (GNOME and K Desktop Environment ).


  • OpenVPN Technologies, the latest version of OpenVPN for Windows, x64.
  • OpenVPN GUI, which comes bundled with the latest versions of OpenVPN for Windows.
  • OpenVPN MI GUI, a modification of the original GUI that uses the OpenVPN management interface and which does not have Administrator rights.
  • OpenVPN Admin
  • Secure Point OpenVPN Client Windows, does not require administrator rights and has some convenience functions ( storing passwords, etc.).
  • Viscosity

Mac OS X

  • Tunnel Vision
  • Viscosity
  • Shimo


  • GuizmOVPN
  • OpenVPN Connect By OpenVPN Technologies


  • Network Manager
  • OpenVPN Admin


  • OpenWRT OpenVPN HowTo


  • Fritz! OpenVPN HowTo
  • Freetz OpenVPN HowTo


  • OpenVPN plugin for GP3


  • OpenVPN OpenVPN Connect By


  • OpenVPN for Maemo 5