OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.
OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it.
OpenVPN supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels.
OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms.
Overall, OpenVPN aims to offer many of the key features of IPSec but with a relatively lightweight footprint.
With OpenVPN, you can:
- tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port,
- configure a scalable, load-balanced VPN server farm using one or more machines which can handle thousands of dynamic connections from incoming VPN clients,
- use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic as it transits the internet,
- use any cipher, key size, or HMAC digest (for datagram integrity checking) supported by the OpenSSL library,
- choose between static-key based conventional encryption or certificate-based public key encryption,
- use static, pre-shared keys or TLS-based dynamic key exchange,
- use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization,
- tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients,
- tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules,
- tunnel networks over NAT,
- create secure ethernet bridges using virtual tap devices, and
- control OpenVPN using a GUI on Windows or Mac OS X.
- Fixed problem with special case route targets ('remote_host'), which could cause filling of the routing table with random garbage. Thanks to Teodo MICU and Gert Doering for finding and fixing this issue.
- Fix problem with special case route targets ('remotehost') The initroute() function will leave &netlist untouched for getspecialaddr() routes ("remotehost" being one of them). netlist is on stack, contains random garbage, and netlist.len will not be 0 - thus, random stack data is copied from netlist.data until the routelist is full. Thanks to Teodo MICU and Gert Doering for finding and fixing this issue.