1. Introduction

A VPN is a network made up of multiple private networks situated at different locations, linked together using secure tunnels over a public (insecure) network, typically the Internet. Traffic inside VPN tunnels is usually encrypted and authenticated to provide security equivalent to that provided by leased lines, but at a fraction the cost. A tunnel is created by encapsulating a network protocol (e.g. IP) within another network protocol, operating at the same layer of the OSI model (e.g. IP, ICMP) or at a higher layer (e.g. ESP, TLS).

VPNs are becoming increasingly popular, as they allow companies to join the LANs of their branches or subsidiaries into a single private network (site-to-site VPNs) or to provide mobile employees, such as sales people, access to their corporate network from outside the premises (remote-access VPNs), thus making accessing and sharing internal information much easier.

Though most often associated with IPsec, VPNs are a rather broad concept and can be implemented using a number of different tunneling protocols (L2TP, MPLS, PPTP, TLS, among others). In particular, in this document, we will take a look at the three most popular VPN implementations supported by OpenBSD:

a suite of standard protocols, defined in various RFCs (see Appendix), that operate at the network layer of the OSI model; OpenBSD natively supports IPsec protocols and provides specific tools and daemons to manage IPsec VPNs;
an SSL-based VPN solution, operating at the application layer and probably the strongest contender for IPsec, thanks to its robustness, ease of use and portability;
since release 4.3, OpenSSH supports the tunneling of arbitrary network packets over a connection between an OpenSSH client and server, as a true VPN (see [OBSD39]).

Besides the inherent differences in cryptographic algorithms and authentication mechanims, these three VPN implementations differ under several aspects; each one has its own advantages and drawbacks and the choice among them must consider not only the ease of installation and administration, but also factors like bandwidth, reliability and scalability. The following are the most relevant differences:

Despite the many differences, OpenVPN has some common ground with IPsec, since, as stated in [OVPN-SEC], OpenVPN's security model is heavily based on the IPSec ESP protocol for secure tunnel transport over UDP.

This document assumes that you are familiar with OpenBSD, since it won't cover topics like base system configuration, packages/ports installation or Packet Filter syntax.