With demand for VPNs at an all-time high, various different protocols have emerged, all vying for the titles of “fastest” and “most secure”.
To get his take on the latest developments in the world of VPN – including the rise of WireGuard protocol, Google’s move into the VPN space and more – we sat down with James Yonan, CTO at OpenVPN.
Between Wireguard and proprietary protocols, OpenVPN has far more competition these days. What are your thoughts?
We have our own vision for the future of VPN that goes far beyond using VPN as a last-mile or site-to-site protocol. Imagine a VPN service that gives you a private, secure, and virtualized global internet across 50 different regions, and is so inexpensive to provide that we can give you three free concurrent connections.
Now imagine the technology under the hood that makes this a reality: high performance VPN protocol offloading to kernel space or dedicated hardware, lightweight network virtualization, fully-meshed VPN sessions, SAML authentication, network threat detection via IDS/IPS/NSM, DDoS protection, multi-region distributed load balancing and failover, MPLS routing, network namespaces, distributed global routing management, virtualized BGP, geolocation-aware routing, and DNS integration.
This is our next generation VPN-as-a-service technology that’s actually available today via our OpenVPN Cloud solution. We’ve essentially taken the capabilities of enterprise-class VPN solutions while reducing the cost and complexity of deployment down to the level of a consumer VPN service.
Many VPN providers are switching to using Wireguard. What is your take on what’s driving that?
Most VPN providers are what we could call first-generation providers; they are focusing on last-mile security. And Wireguard gives them a way to optimize their operations within the scope of the first-generation business model. They can handle more concurrent connections and bandwidth per server and lower their overall cost.
By contrast, we are focused on what we see as the next-generation VPN provider model, where last-mile security becomes just a checkbox item in a vast suite of capabilities. In the next-generation model, we give you a secure, virtualized internet in the cloud, and a full suite of enterprise-class tools to manage devices, authentication, routing, network threat detection, load balancing, failover, etc.
For example, consider a company that has millions of IoT devices around the world and needs to securely connect them into a virtualized cloud. These are enterprise-class problems that don’t fit into the first-generation VPN provider model, but represent a huge emerging market for VPN providers. We intend to serve this market, but it’s not really about whether your protocol is OpenVPN or WireGuard. The R&D, development, integration, operations, etc. to create a next-generation VPN service makes the VPN protocol implementation itself a detail rather than the main event.
There seems to be a consensus among many in the industry that OpenVPN is slower than newer protocols like Wireguard. Why is that?
There’s nothing about the OpenVPN protocol that in any way limits its potential performance. I think what we’ve seen in general over the last several years is that improvements in network performance at the hardware level has left the software scrambling to catch up.
Wireguard’s approach has been to essentially put the entire VPN implementation into kernel space to optimize its performance. But there’s a cost to this. Wireguard needed to reinvent its own network security protocol from scratch rather than leveraging on industry standard protocols such as SSL/TLS, so that it could fit into the more restricted execution environment of the Linux kernel.
SSL/TLS has conventionally been seen as a user space protocol, without a straightforward development path to a high-performance kernel implementation, but this conventional wisdom is being turned on its head by developers who are embracing a concept called “offloading” where you take the “heavy lifting” work of a protocol, such as encryption and forwarding of network packets, and move them to kernel space or specialized hardware that can perform operations at full wire speed.
Offloading is really the holy grail of both security and performance because it allows us to embrace industry standard protocols such as SSL/TLS, but by offloading the packet processing to kernel space or hardware, we can push performance to the limits of wire speed.
At OpenVPN, offloading is key to our performance strategy:
- We have developed and open-sourced a kernel module (OpenVPN Data Channel Offload or ovpn-dco) that offloads the resource-intensive aspects of the OpenVPN protocol to kernel space while retaining all of the security benefits of industry-standard SSL/TLS.
- OpenVPN Cloud, our next-generation VPN service has already launched Data Channel Offload in production, where we are seeing order-of-magnitude performance gains on the server side and expect to see similar gains in the client when ovpn-dco becomes widespread on the client side.
Do you see proprietary protocols as competition? Do you believe users lose out in any way from choosing a VPN with a proprietary protocol?
In a nutshell, proprietary protocols miss out from the peer-review process, so there’s no way to know whether or not these protocols have any hidden security defects.
And what about Google VPN?
I think what Google is saying is that they are developing their own VPN protocol with a focus on last-mile security and anonymity. They are saying that they might eventually support other protocols, but my reading of the document is that they have specific goals with respect to anonymity that they intend to achieve by developing their own protocol.
We’ve actually worked with Google in the past on projects such as these, though I would have to say that this is not our target market. OpenVPN, Inc. is primarily focused on the business-to-business market, however the OpenVPN protocol itself is general purpose and lends itself well to a diverse range of applications.
What are security features unique to OpenVPN?
OpenVPN’s mantra has always been don’t reinvent security, use the existing gold-standard protocols such as SSL/TLS that have been developed and defended for over 25 years by the best minds in cryptography. It’s surprising in a way that such a common-sense approach to security would be unique to OpenVPN, but the truth is that almost every other VPN developer (including Wireguard) has felt the need to reinvent their own security protocol.
Consider TLS 1.3, a network security protocol so advanced that several nation-states have seen fit to ban it, out of concern that it will flummox their censorship and mass surveillance capabilities. With OpenVPN, you get TLS 1.3 for free.
You also get capabilities such as “tls-auth” that protect against security vulnerabilities in the underlying SSL/TLS implementation. And now with ovpn-dco, you can get the best of both worlds: industry standard TLS security with kernel-layer performance acceleration.
What plans about the future of OpenVPN can you share with us?
As I mentioned above, we have developed a Linux kernel module (OpenVPN Data Channel Offload or ovpn-dco) that offloads performance-sensitive crypto and network operations to the kernel layer. We have open-sourced the project at https://github.com/OpenVPN/ovpn-dco and plan to engage with the Linux kernel community to eventually mainline this into the Linux kernel.