1. Introduction §
I wanted to write this text for some time, a list of VPN with encryption that can be used on OpenBSD. I really don't plan to write about all of them but I thought it was important to show the choices available when you want to create a VPN between two peers/sites.
2. VPN §
VPN is an acronym for Virtual Private Network, is the concept of creating a network relying on a virtual layer like IP to connect computers, while regular network use physical network layer like Ethernet cable, wifi or light.
There are different VPN implementation existing, some are old, some are new. They have pros and cons because they were done for various purpose. This is a list of VPN protocols supported by OpenBSD (using base or packages).
2.1. OpenVPN §
Certainly the most known, it's free and open source and is widespread.
- works with tun or tap interfaces. tun device is a virtual network interface using IP while tap device is a virtual network interface passing Ethernet and which can be used to interconnect Ethernet networks across internet (allowing remote dhcp or device discovery)
- secure because it uses SSL, if the SSL lib is trusted then OpenVPN can be trusted
- can work with TCP or UDP, this allow setups such as using TCP/443 or UDP/53 to try to bypass local restrictions
- flexible in regards to version difference allowed between client and server, it's rare to have an incompatible client
- certificate management isn't straightforward for the initial setup
2.2. WireGuard §
A recent VPN protocol joined the party with an interesting approach. It's supported by OpenBSD base system using ifconfig.
- connection is stateless, so if your IP change (when switching network for example) or you experience network loss, you don't need to renegotiate the connection every time this happen, making the connection really resilient.
- setup is easy because it only require exchanging public keys between clients
- the crypto choice is very limited and in case of evolution older clients may have issue to connect (this is a cons as deployment but may be considered a good thing for security)
OpenBSD ifconfig man page anchored to WireGuard section
Examples of wg interfaces setup
2.3. SSH §
SSH is known for being a secure way to access a remote shell but it can also be used to create a VPN with a tun interface. This is not the best VPN solution available but at least it doesn't require much software and could be enough for some users.
- performance are not great
- documentation about the -w flag used for creating a VPN may be sparse for many
2.4. mlvpn §
mlvpn is a software to aggregate links through VPN technology
- it's a simple way to aggregate links client side and NAT from the server
- it partly obsolete due to MPTCP protocol doing the same but a lot better (but OpenBSD doesn't do MPTCP)
- it doesn't work very well when using different kind of internet links (DSL/4G/fiber/modem)
2.5. IPsec §
IPSec is handled with iked in base system or using strongswan from ports. This is the most used VPN protocol, it's reliable.
- most network equipment know how to do IPsec
- it works
- it's often complicated to debug
- older compatibility often means you have to downgrade security to make the VPN work instead of saying it's not possible and ask the other peer to upgrade
OpenBSD FAQ about VPN
2.6. Tinc §
Meshed VPN that works without a central server, this is meant to be robust and reliable even if some peers are down.
- allow clients to communicate between themselves
- it doesn't use a standardized protocol (it's not THAT bad)
Note that Tailscale is a solution to create something similar using WireGuard.
2.7. Dsvpn §
- works on TCP so it's easier to bypass filtering
- easy to setup
- small and recent project, one could say it has less "eyes" reading the code so security may be hazardous (the crypto should be fine because it use common crypto)
2.8. Openconnect §
I never heard of it before, I found it in the ports tree while writing this text. There is openconnect package to act as a client and ocserv to act as a server.
- it can use TCP to try to bypass filtering through TCP/443 but can fallback to UDP for best performance
- the open source implementation (server) seems minimalist
2.9. gre §
gre is a special device on OpenBSD to create VPN without encryption, it's recommended to use it over IPSec. I don't cover it more because I was emphasing on VPN with encryption.
gre interface man page
3. Conclusion §
If you never used a VPN, I'd say OpenVPN is a good choice, it's versatile and it can easily bypass restrictions if you run it on port TCP/443.
I personnaly use WireGuard on my phone to reach my emails, because of WireGuard stateless protocol the VPN doesn't draw battery to maintain the connection and doesn't have to renogicate every time the phone gets Internet access.