Here's what OpenVPN thinks about WireGuard, Google VPN, and more

Here's what OpenVPN thinks about WireGuard, Google VPN, and more

The VPN industry is on a growth trajectory unlike very few others in the tech world, intensified by the pandemic and the shift to remote work. With demand for VPNs at an all-time high, several different protocols have sprung up, all vying for the titles of "fastest" and "most secure." To get his thoughts on the latest developments in the world of VPNs, including the rise of the WireGuard protocol, Google's move into the VPN space, and more, we spoke with James Yonan, CTO of OpenVPN.

Between Wireguard and proprietary protocols, OpenVPN has a lot more competition these days. What are your thoughts?

We have our own vision for the future of VPNs that goes far beyond using VPNs as a last-mile or site-to-site protocol. Imagine a VPN service that gives you private, secure, virtualized global internet in 50 different regions, and is so cheap to run that we can provide you with three simultaneous connections for free. Now imagine hidden technology making it real: high-performance VPN protocol offload to dedicated kernel or hardware space, lightweight network virtualization, fully meshed VPN sessions, SAML authentication, network threat detection via IDS/IPS/NSM , DDoS protection, multi-region distributed load balancing and failover, MPLS routing, network namespaces, distributed global routing management, virtualized BGP, geolocation-aware routing, and DNS integration. This is our next generation VPN-as-a-service technology that is currently available through our OpenVPN Cloud solution. Essentially, we have assumed the capabilities of enterprise-class VPN solutions while reducing the cost and complexity of implementation in a consumer VPN service.

Many VPN providers use Wireguard. What's your take on what's driving this?

Most VPN providers are what we might call first generation providers; they focus on last mile security. And Wireguard gives them a way to streamline their operations under the first generation business model. They can handle more concurrent connections and bandwidth per server and lower your overall cost. Instead, we focus on what we see as the next-generation VPN provider model, where last-mile security simply becomes a checkbox across a wide range of features. In the next-generation model, we bring you a secure, virtualized Internet in the cloud and a complete set of enterprise-class tools for device management, authentication, routing, network threat detection, load balancing, dumping, and more. Let's take the example of a company that has millions of IoT devices around the world and needs to securely connect them to a virtualized cloud. These are enterprise-class issues that don't fit the first-generation VPN provider model, but they do represent a huge emerging market for VPN providers. We intend to serve this market, but it's not really a question of whether your protocol is OpenVPN or WireGuard. R&D, development, integration, operations, etc. Creating a next-generation VPN service makes the implementation of the VPN protocol itself more of a detail than a main event.

There seems to be a consensus among many in the industry that OpenVPN is slower than newer protocols like Wireguard. Why then?

There is nothing in the OpenVPN protocol that in any way limits its potential performance. I think what we've seen in general in recent years is that improvements in network performance at the hardware level have left software struggling to catch up. Wireguard's approach has essentially been to place the entire VPN implementation in kernel space to optimize its performance. But it comes at a cost. Wireguard needed to reinvent its own network security protocol from the ground up instead of relying on industry standard protocols like SSL/TLS so it could fit into the runtime environment. more restricted Linux kernel. SSL/TLS has traditionally been viewed as a user-land protocol, with no easy development path to a high-performance kernel implementation, but this conventional wisdom is being overturned by developers embracing a concept called "offloading" where take. The "heavy" work of a protocol, such as encryption and transmission of network packets, and moving them into kernel space or specialized hardware that can perform operations at full wire speed. Offloading is truly the holy grail of security and performance as it allows us to adopt industry standard protocols like SSL/TLS, but by offloading packet processing to kernel space or hardware, we can push performance to its limits. of wire speed. At OpenVPN, offloading is the key to our performance strategy:

Do you consider that proprietary protocols are competition? Do you think users are somehow losing the option of a VPN with a proprietary protocol?

Simply put, proprietary protocols lose the peer review process, so there is no way to tell if these protocols have hidden security flaws.

And what about Google's VPN?

I think what Google is saying is that they are developing their own VPN protocol with an emphasis on last mile security and anonymity. They say they might eventually support other protocols, but my reading of the document is that they have specific anonymity goals that they intend to achieve by developing their own protocol. In fact, we've worked with Google in the past on projects like these, although I have to say that's not our target market. OpenVPN, Inc. is primarily focused on the business-to-business market, but the OpenVPN protocol itself is general-purpose and lends itself well to a wide range of applications.

What are the unique security features of OpenVPN?

The OpenVPN mantra has always been to not reinvent security, to use existing reference protocols like SSL/TLS that have been developed and championed for over 25 years by the best minds in crypto. It's surprising that such a no-nonsense approach to security is unique to OpenVPN, but the truth is that almost every other VPN developer (including Wireguard) has felt the need to reinvent their own security protocol. Consider TLS 1.3, a network security protocol so advanced that several nation states have seen fit to ban it, fearing it could hurt their censorship and mass surveillance capabilities. With OpenVPN, you get TLS 1.3 for free. You also get features like "tls-auth" that protect against security holes in the underlying SSL/TLS implementation. And now, with ovpn-dco, you can get the best of both worlds: standard TLS security with kernel layer performance acceleration.

What plans for the future of OpenVPN can you share with us?

As I mentioned earlier, we have developed a Linux kernel module (OpenVPN Data Channel Offload or ovpn-dco) that offloads performance-sensitive encryption and network operations to the kernel layer. We have the open source project at https://github.com/OpenVPN/ovpn-dco and we plan to engage with the Linux kernel community to finally integrate it into the Linux kernel.

You might also be interested ...