In 2014, eduVPN started as a small project to provide students and employees with a reliable VPN solution that integrates with federated authentication. Currently more than 100 organizations worldwide use eduVPN. An important event in 2014 greatly influenced the development of eduVPN, and led us to embrace an important principle: less code means a more secure service.
Vulnerability in OpenSSL
So what happened in 2014? Then a serious vulnerability was discovered in OpenSSL, a widely used library for establishing secure connections. OpenSSL is used, among other things, on web servers, but also for VPN products. After analysis, it turned out that the software was too complex. Erik Poll, Associate Professor at Radboud University’s Digital Security Group, advises that when software has to be secure, complexity should be limited. This makes clearer software that can be better pen tested and audited.
Complexity bad for security
However, such views are much older. One of the oldest and best known engineering principles is KISS: Keep it Simple, Stupid. The US Navy already used this principle in 1960. They already knew that systems work better if they are kept simple. This applies in a broad sense to systems, including software and security.
Complexity also scores high in OWASP Top 10
Therefore: software architecture eduVPN as simple as possible
With this knowledge in mind, we have developed eduVN. This is reflected in the software architecture of the eduVPN server. Over the years, it has only become smaller in terms of code, in contrast to an average software package that only expands. We try to keep the functionality of the product limited in accordance with our ‘less is more’ philosophy. For example, we regularly perform (source code) audits on the server and client software, especially in the event of major changes to the source code. eduVPN customers can view these audit reports. In addition, we use a vulnerability scanner to check whether the service is properly set up in practice.
Open source and public values
Furthermore, the premise of eduVPN was that all resources, such as software, documentation and images, had to be available under an open source license. Not only for (international) education and research, but also beyond. Think, for example, of Internet Service Providers (ISP), government, companies and SMEs. This was reinforced by the fact that the SIDN fund supported software development with the aim of realizing good and reliable VPN software that everyone can use. This open approach ensures that organizations have control themselves without being dependent on big tech and thus strengthen their digital autonomy. This is in contrast to VPN solutions from commercial parties, where you do not have access to the (often far too complex) technology and documentation such as audits. This ensures that there is a strong dependence, for example the commercial provider is the only party that can make and release bugs and/or security fixes.
“In general you can say that closed source mainly benefits the producer of the software and that open source benefits the buyers.”
Quote from professor Bart Jacobs Radboud University
Reference in Dutch
For the implementation of VPN technology, we opted for OpenVPN in 2014. This is the only product we had enough confidence in, especially because it is the only VPN product that has been internationally audited by security professionals, researchers and governments. Nowadays WireGuard is the new kid on the block in which we are investing to support in future. We will cover WireGuard support in a future blog post.
Writing code is deleting
Because we apply this principle, thousands of people in education and research have been using eduVPN for years without any problems. We will of course continue to apply this principle in our product development, because the world in 2022 shows that as an organization you can never rest on your laurels when it comes to safety. The same applies when writing code: writing is deleting!”
Via eduVPN, employees and students can securely connect to their institution’s network from home. This gives them secure access to protected internal applications such as scientific articles, financial systems, student information systems, license servers and file servers. eduVPN is the open source VPN solution for education and research. More than 100 organizations worldwide already use this service.
This blog was originally posted in Dutch here