VPN Product and Technology Comparison

2019-11-20

Introduction

The eduVPN service is positioned as the VPN service for the international research and education community. We were inspired by eduroam to offer a secure and privacy enhancing VPN solution to as many researchers and students as possible. We aim to have endpoints in as many locations as we have collaborating National Research and Education Networks (NRENs). In addition, the eduVPN software is capable of replacing existing VPN solutions allowing access to the institute network. This can be done, either by self hosting the eduVPN software on-premises, or as a hosted solution offering provided by the NREN.

The eduVPN service is a collaboration of various NRENs, governed by G√ČANT.

As no solution, neither open source, nor proprietary existed which offered the functionality required, we decided to build our own service as a free and open source project.

eduVPN integrates smoothly with existing identity management systems (IdMs) currently in use at many (larger) organizations. We created native VPN applications for the most common devices, i.e. Android, iOS, macOS, Windows and Linux, as that would make it easy as possible to use eduVPN.

The eduVPN server uses the community edition of OpenVPN. OpenVPN is one of the most widely used open source VPN solutions.

Occasionally we get the question which features eduVPN offers over "competitors" and why we chose OpenVPN instead of any of the other available open source VPN software protocols and implementations. In this post we'll dive into this and explain the unique aspects of OpenVPN and eduVPN and why we have built eduVPN this way.

Why eduVPN?

Before diving into details regarding the various VPN protocols, we'll first describe the features of the eduVPN software itself:

VPN Technology

There were a number of competing open source VPN technologies available when we started the project in October 2014. The most popular one was definitely OpenVPN. It is (relatively) easy to configure and runs everywhere. However, we did consider a number of other protocols and implementations. We'll describe each of them in more detail. Note that some of them were not yet available around the time the eduVPN project started.

When evaluating different VPN technologies, we considered the following criteria:

PPTP

Point-to-Point Tunneling Protocol (PPTP) used to be a very popular VPN product. Various Windows, Linux and BSDs support both PPTP server and PPTP client mode.

Ever since it was discovered that the Windows PPTP implementation, which was the most popular, was found to be insecure beyond repair it no longer advised to use PPTP.

IPsec

IPsec is very well integrated in most commonly used devices, both on desktop / laptop and mobile. It is quite difficult to create an IPsec setup that is both usable, from all the commonly used platforms, and secure. However, it is possible as shown more recently by the Algo project.

The main drawback of IPsec (and thus Algo) is that it requires a working UDP connection.

OpenConnect

OpenConnect was originally written as an open source replacement for Cisco's AnyConnect SSL VPN client. Later, support for other commercial VPN products like Pulse Secure and Palo Alto Networks were added as well. There is also an OpenConnect server available.

The protocol uses both UDP and TCP (TLS), but can fallback to TCP only in case UDP does not work. It therefore works well in network that block UDP. Recently, the OpenConnect protocol has been written down in an, by now expired, IETF draft document.

There were three drawbacks to using OpenConnect: first, we couldn't find any documentation or other proof that the software received a third party audit. Second, the OpenConnect project didn't have "ready to use" clients available for the major platforms we wanted to support. Third, this opensource project mimicks three proprietary VPN products and therefore the future roadmap is highly controlled by closed source products.

Streisand

Streisand is a means to easily create a VPN provider at a cloud provider. Streisand supports a variety VPN products / protocols, e.g. WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel. Streisand is never meant as a solution to deploy and manage large scale VPN services, but offer an easy way to setup a VPN server that can be reached when dealing with a whole range of different network restrictions between your current location and the VPN server.

WireGuard

WireGuard is a new kid on the block. It has a very simple approach, uses state-of-the-art cryptography, high performance (multi threading) and is much more convenient to audit because of its small codebase compared to e.g. IPsec and OpenVPN. WireGuard is a very promising product, however, as written on the WireGuard webpage "WireGuard is not yet complete. You should not rely on this code.". Therefore we are actively following the WireGuard development and supporting it. Currently, WireGuard only works over UDP. WireGuard itself is not a "managed solution", but we expect to integrate it in a future version of eduVPN.

OpenVPN

The open source community edition of OpenVPN has a big community. Having a big community increases the chances the project will live a long life. In addition, it assures there is a lot of documentation available, also regarding integration in a variety of different systems and platforms.

Furthermore, OpenVPN received extensive independent audits over the years. A recent report is found here.

OpenVPN has the built-in capability to tunnel over TCP, which, as mentioned before, is important to work in environments where UDP traffic is blocked on otherwise unreliable. OpenVPN had working clients available for all platforms we wanted to support, and more.

Conclusion

As no VPN products existed that offered features required by eduVPN we decided to build those features on top of an existing VPN technology. We believe VPN software should be released as open source software, which has been audited by third parties. Products already undergone these audits had an advantage in our evaluation. In addition, a product that has an extensive community including support for most common devices like smartphones, laptops and desktops is a big plus. Being able to operate in broken network setups, e.g. networks where UDP is broken or block is a must.

One VPN technology scored best in our evaluation: the community edition of OpenVPN. Therefore we decided to base eduVPN on top of OpenVPN.

Blog Index