Question about differences in packages (openvpn vs openvpn3/openvpn3-client)

[HybridZach]

Could someone tell me the difference between openvpn and this openvpn3 on Linux? my VPN provider told me to install openvpn, but openvpn website I noticed says to use openvpn3, I was originally hunting for a GUI because I wanted a killswitch and come across the two different openvpns. I used openvpn a lot recently, and now switching to this is there any key differences, is this one better for security, more up to date? sorry for the noob question.

[dsommers]

The traditional OpenVPN package is called openvpn. That is the OpenVPN 2.x generation which has bee available for close to 20 years. This works fine and has integrations with NetworkManager as well, plus a lot of consumer VPN providers build upon this one for their own service specific GUI.

The OpenVPN 3 Linux project is fairly new. It builds upon a re-implementation of the OpenVPN protocol into a C++ library. The openvpn3/openvpn3-client packages provides mostly the same client functionality as OpenVPN 2.x, but the implementation itself very different.

OpenVPN 2.x

• Requires root privileges to start
• Provides no session management; that's where various GUIs and NetworkManager comes into play
• Needs helper scripts/plug-ins to setup DNS settings; the NetworkManager integration can help with this

OpenVPN 3 Linux

• Allows by default any users on the system to start a VPN session; it ships with privilege separation and runs several components - each with the least amount of privileges needed to be functional
• Ships with both a configuration and session management, with access control management for both to make it useful in multi-user environments.
• Supports DNS configuration out-of-the- box, it integrates with systemd-resolved or can modify /etc/resolv.conf on-the-fly
• Currently only provides a command line utility
  • however, other integrations should be far easier - as the whole OpenVPN 3 Linux stack is built around D-Bus. A GUI, other command line tools or similar tools can easily be written as the whole stack gives an API to use to manage both configuration profiles and VPN sessions.
  • It also ships with an openvpn3 Python 3 module to write your own tooling around configuration and session management.
  • NetworkManager integration is planned, but no ETA yet.

In regards to kill-switch functionality. This should work fairly well with OpenVPN 3 Linux. It does a few extra things to avoid leaking data outside the VPN tunnel when full network redirection is in use. When a OpenVPN 3 Linux needs to do a tunnel restart or full reconnect, it will create a new tun interface which will be configured with routes and IP addresses before the "old" tun interface is removed. This ensures the traffic intended to go over the VPN will never exit other active network interfaces; unless explicitly routed outside the tunnel.

OpenVPN 3 Linux also ships with an openvpn2 command (not to be confused with the classic openvpn executable shipped with OpenVPN 2.x). The openvpn2 command is a wrapper command emulating the openvpn command - but it only supports client-side options. This is useful for users who knows the openvpn command quite well and wants a similar interface with OpenVPN 3 Linux.

When it comes to security ... that's a bit more complex to answer. In regards to the VPN tunnel security, Both versions are basically equally safe and secure. The security of the binaries themselves are also considered to be equally good, even though OpenVPN 2.x has been through more security audits than the OpenVPN 3 stack.

When it comes to runtime environment, the OpenVPN 3 Linux stack is far more locked down than OpenVPN 2.x. OpenVPN 3 Linux has multiple processes doing just a single task alone - like configuration management, session management, network configuration, VPN tunnel and logging. Each of these processes are locked down and runs independently of the other services; if one of the crashes, the impact is reduced to only the segment that process is responsible for. With OpenVPN 2.x, everything is run inside a single process, which often has elevated privileges.

That said, OpenVPN 2.x does not have the full management services which the OpenVPN 3 Linux stack has, so it is somewhat simpler. However, with OpenVPN 2.x the VPN client connection itself will run with more privileges. In OpenVPN 3 Linux, the VPN client connection runs completely unprivileged and any operation requiring more privileges (like network and DNS configuration) is handed over via D-Bus API calls to the OpenVPN 3 Network Configuration service; which runs with somewhat more privileges (still less than OpenVPN 2.x). These API calls are also highly restricted in what they can ask for.

I do consider OpenVPN 3 Linux to be quite a bit better when it comes to runtime security.

A quick-start guide how to use OpenVPN 3 Linux can be found here: https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux#Quickstart-howtouseOpenVPN3Linux

[HybridZach]

Thank you for the in depth reply it has cleared up all my questions.
Its funny you should mention that there is an API and also a python module (I had no idea), since there was no GUI I decided to code my own with python and qt5, now I know there is an API and python module it might make it a lot cleaner the GUI I built.

[dsommers]

@Ub3rZ4cH If you would want to dig into providing a GUI for OpenVPN 3 Linux, I am all in favour of that! And I will support you to make it become a reality, if you need it. Just reach out on my e-mail address found in the git logs.

The openvpn2, openvpn3-systemd and openvpn3-as "front-ends" are all written in Python. And there are more example codes to be found in the source tree as well: https://github.com/OpenVPN/openvpn3-linux/tree/master/src/tests/python

You are completely free to release this as your own project, or if you want to have it part of the OpenVPN 3 Linux project I'll be more than happy to discuss how we can achieve that best.