Title: What are the VPN available on OpenBSD
Author: Solène
Date: 11 December 2021
Tags: openbsd vpn nocloud
Description: I made a list of available VPN that could be used on
OpenBSD, wheter they are from base or packages, and gave the pros and
cons for each protocol.
# Introduction
I wanted to write this text for some time, a list of VPN with
encryption that can be used on OpenBSD. I really don't plan to write
about all of them but I thought it was important to show the choices
available when you want to create a VPN between two peers/sites.
# VPN
VPN is an acronym for Virtual Private Network, is the concept of
creating a network relying on a virtual layer like IP to connect
computers, while regular network use physical network layer like
Ethernet cable, wifi or light.
There are different VPN implementation existing, some are old, some are
new. They have pros and cons because they were done for various
purpose. This is a list of VPN protocols supported by OpenBSD (using
base or packages).
## OpenVPN
Certainly the most known, it's free and open source and is widespread.
Pros:
* works with tun or tap interfaces. tun device is a virtual network
interface using IP while tap device is a virtual network interface
passing Ethernet and which can be used to interconnect Ethernet
networks across internet (allowing remote dhcp or device discovery)
* secure because it uses SSL, if the SSL lib is trusted then OpenVPN
can be trusted
* can work with TCP or UDP, this allow setups such as using TCP/443 or
UDP/53 to try to bypass local restrictions
* flexible in regards to version difference allowed between client and
server, it's rare to have an incompatible client
Cons:
* certificate management isn't straightforward for the initial setup
## WireGuard
A recent VPN protocol joined the party with an interesting approach.
It's supported by OpenBSD base system using ifconfig.
Pros:
* connection is stateless, so if your IP change (when switching network
for example) or you experience network loss, you don't need to
renegotiate the connection every time this happen, making the
connection really resilient.
* setup is easy because it only require exchanging public keys between
clients
Cons:
* the crypto choice is very limited and in case of evolution older
clients may have issue to connect (this is a cons as deployment but may
be considered a good thing for security)
(HTM) OpenBSD ifconfig man page anchored to WireGuard section
(HTM) Examples of wg interfaces setup
## SSH
SSH is known for being a secure way to access a remote shell but it can
also be used to create a VPN with a tun interface. This is not the
best VPN solution available but at least it doesn't require much
software and could be enough for some users.
Pros:
* everyone has ssh
Cons:
* performance are not great
* documentation about the -w flag used for creating a VPN may be sparse
for many
## mlvpn
mlvpn is a software to aggregate links through VPN technology
Pros:
* it's a simple way to aggregate links client side and NAT from the
server
Cons:
* it partly obsolete due to MPTCP protocol doing the same but a lot
better (but OpenBSD doesn't do MPTCP)
* it doesn't work very well when using different kind of internet links
(DSL/4G/fiber/modem)
## IPsec
IPSec is handled with iked in base system or using strongswan from
ports. This is the most used VPN protocol, it's reliable.
Pros:
* most network equipment know how to do IPsec
* it works
Cons:
* it's often complicated to debug
* older compatibility often means you have to downgrade security to
make the VPN work instead of saying it's not possible and ask the other
peer to upgrade
(HTM) OpenBSD FAQ about VPN
## Tinc
Meshed VPN that works without a central server, this is meant to be
robust and reliable even if some peers are down.
Pros:
* allow clients to communicate between themselves
Cons:
* it doesn't use a standardized protocol (it's not THAT bad)
Note that Tailscale is a solution to create something similar using
WireGuard.
## Dsvpn
Pros:
* works on TCP so it's easier to bypass filtering
* easy to setup
Cons:
* small and recent project, one could say it has less "eyes" reading
the code so security may be hazardous (the crypto should be fine
because it use common crypto)
## Openconnect
I never heard of it before, I found it in the ports tree while writing
this text. There is openconnect package to act as a client and ocserv
to act as a server.
Pros:
* it can use TCP to try to bypass filtering through TCP/443 but can
fallback to UDP for best performance
Cons:
* the open source implementation (server) seems minimalist
## gre
gre is a special device on OpenBSD to create VPN without encryption,
it's recommended to use it over IPSec. I don't cover it more because I
was emphasing on VPN with encryption.
(HTM) gre interface man page
# Conclusion
If you never used a VPN, I'd say OpenVPN is a good choice, it's
versatile and it can easily bypass restrictions if you run it on port
TCP/443.
I personnaly use WireGuard on my phone to reach my emails, because of
WireGuard stateless protocol the VPN doesn't draw battery to maintain
the connection and doesn't have to renogicate every time the phone gets
Internet access.