Hello guys. I have an OpenVPN question. I was reading about OpenVPN and how it can be used SSL to create site-to-site SSL VPN tunnels using UDP. My understanding is that it’s UDP that gives it a speed advantage. I also know that Cisco ASA devices can be used to create SSL VPNs but not site-to-site VPNs, only with the use of a client (Cisco AnyConnect) or through a web portal. OpenVPN implements SSL VPNs quite differently and support a site-to-site style VPN while it does not support a web portal style VPN.
What are some of the technical reasons one might favour OpenVPN over Cisco? Can Cisco match all of the technical features of OpenVPN? Why or why not? Can Cisco ASA devices be configured to create site-to-site SSL VPNs with all the benefits of OpenVPN?
Thanks in advance, Eric
ASA doesn’t do SSL for site-to-site. It only works in a client/server relationship using AnyConnect or using the web VPN. For those, it can use DTLS which uses UDP port 443.
First off, from OpenVPN website: OpenVPN’s security model is based on using SSL/TLS for session authentication and the IPSec ESP protocol for secure tunnel transport over UDP
Use of IPsec ESP protocol is there for the speed benefit because it’s faster than straight SSL for tunnel transport, although “faster” is relative to processor power available for the devices and the throughput of the connection. SSL can and is just as fast as using ESP for transport in many instances.
OpenVPN does not support a full IPsec VPN in any fashion, which is what everyone else uses for site-to-site VPN’s. OpenVPN using SSL for site-to-site tunnels is pretty much unique to them. There’s really no reason to need site-to-site SSL tunnels. If there was, Cisco and every other firewall manufacturer would have gone that route.
If your only consideration is site-to-site VPN’s, then you shouldn’t even be bothering to compare OpenVPN to Firewalls like Cisco ASA, FortiGate, Juniper SRX, CheckPoint, etc. I’d imagine OpenVPN is really not used all that much for site-to-site VPN. It’s popularity is driven by client-to-server VPN, and more importantly, that it’s available completely free in many products.
When people talk SSL VPN, they are talking client-server. Again, OpenVPN doing SSL for site-to-site VPN is really a special case, and I doubt anyone even consider that when they start comparison SSL VPN products.
When you compare OpenVPN as an “SSL VPN” from the client-server viewpoint, to products like Cisco AnyConnect, or Juniper Secure Access, or FortiGate’s SSL VPN offering (and a variety of other offerings) then OpenVPN is heavily deficient on features. OpenVPN offers no web portal for any form of clientless access. OpenVPN doesn’t offer “application tunneling” where you can restrict traffic through VPN config to specific applications or ports. OpenVPN is only a full layer 3 VPN tunnel.
You’re comparing apples and oranges, really.
One of the great things about SSL-based VPN was an alternative to complicated IPSec software clients for the client computer. IPSec is a complex suite of protocols, and navigating some SOHO routers and firewalls was a support nightmare. SSL-based VPN however is easy: port 443 TCP and/or 443 UDP for optional DTLS.
OpenVPN is free, and scale of deployment is probably going to be limited to a smallish, tech-savvy client base, capable and okay with running third party software clients. From an IT perspective you’d run into support issues since you really don’t have a hardware or software vendor to complain to (i.e. Cisco). If you’re looking to roll out remote VPN to an enterprise for example, you’d want something with more policy, control and push features; Cisco AnyConnect.
As for site-to-site VPN, why would you want SSL for that? The ASA is perfectly capable of the industry-standard of IPSec tunneling for that purpose.
OpenVPN can be a nice solution but requires a lot of development to get there. It’s more of a tool that you use to build your own solution than a competitor to something like AnyConnect.
That said you can build a pretty amazing service if you can develop your own web portal to manage OpenVPN and bundle it with a solid third party client like Viscosity (the FOSS clients are terrible and the official client really only works well with Access Server which isn’t that great).
There are a number of things you want to do with OpenVPN:
- Replace authentication with custom scripts that restrict client certificate CN to correct users
- Add a server-side firewall script that places appropriate restrictions on each client when they connect
- Build a web portal to configure the VPN and dynamically generate the client configuration and certificate files for download.
At the end of the day I think it depends on scale. If you have 20 users AnyConnect might be cheaper. If you have 1000 users then its worth throwing man hours at building a solid OpenVPN solution that you can run for a few thousand dollars instead of tens of thousands.
Site-to-site VPN I don’t know why you would bother with OpenVPN instead of just using a standard IPsec tunnel.
Like everyone else is saying, OpenVPN’s use is really for roaming clients (phones, laptops, etc). If you need site to site (network to network), you should be using IPSec (OpenSWAN, Checkpoint, etc)
There seem to be plenty of people who use OpenVPN for site-to-site since the early days. I use it for aws region to region and region to colo site-to-site and I believe there are a number of tutorials for setting up OpenVPN site-to-site for aws. US colo to Japan, US colo in San Jose to aws nor-cal, star and point to point - all worked great with no issues.
btw, I used tiny VMs 512MB and pushed plenty of traffic with uptimes of months, never had problems with any site-to-site implementation of OpenVPN.
What is standard IPsec tunnel? You still need some software on server. SOme kind of IPSec server
Yup. base VM from DigitalOcean, I connected my house, my parent’s and another VM in another geolocation via OpenVPN, all with dynamic OSPF routing