Users laud open source VPN code

Businesses interested in VPNs need not spend any money to find out more, because there is a wealth of open source VPN code available with which to experiment.

In fact, they might find the free software meets their needs and budgets well enough that they don't need to look to commercial software.

"We tested it in our labs, that's all. It cost us only some time," says Michel Blanc, assistant network administrator for Departement du Rhone, a division of government in France that uses OpenVPN software based on SSL technology.

The technical options among open VPN software run the gamut of commercial VPN gear from Point-to-Point Tunneling Protocol (PPTP) to IPSec. Some of the free software is interoperable with commercial implementations of the same technologies.

Openswan, the major open source IPSec code, is compatible with Cisco, Juniper, Check Point and other IPSec VPN vendors, including all vendors that ISCA Labs has certified as IPSec-compatible, says Ken Bantoft, vice president of business development for Xelerance, a private company devoted to developing the software.

Most open source VPN code is designed to run on Linux, the open source operating system, but much also has been written to run on other platforms. OpenVPN runs on Linux, Windows 2000 and XP, Mac OS X and Solaris as well as OpenBSD, FreeBSD and NetBSD flavors of free Unix.

Similarly, Poptop PPTP server software is written to support the free PPTP clients built into Microsoft operating systems starting with Windows 95 and extending to XP.

Some of this free code is stable enough to have found its way into commercial products such as the use of Openswan in security software sold by Astaro. The Astaro software in turn ships as part of Novell's Security Manager gateway appliance.

Openswan also ships with the Fedora version of Linux and is prepared to ship with Red Hat, Bantoft says.

It's not just software vendors who are interested in this free software. Service providers also are buying into open source VPN software., an Internet security company, says it uses OpenVPN because it is simple to set up relative to IPSec VPNs, and it readily can cross firewalls that convert private IP addresses to public addresses - something that is time-consuming to set up with IPSec. bases its personal VPN service on the software because it is free, installs simply and scales to thousands of users, says Steve Shippa, the company's co-founder. The software supports network layer access and tunnels traffic via SSL.

The service is used to shore up the privacy of a connection between a remote user and's network, Shippa says. In particular, it's meant to keep eavesdroppers from preying on users connecting to the Internet via Wi-Fi hot spots, he says.

The only shortcoming he noted was that strong authentication must be added to ensure that unauthorized users don't connect. Shippa says he remedied the problem by setting up's own certificate authority to guarantee users are who they say they are.

Openswan IPSec software relies on strong authentication, and Xelerance has written extensions to it for a customer that supports Internet Key Exchange aggressive mode authentication, Bantoft says.

Openswan also is finding its way into corporate use, including a 500-site bank deployment, Bantoft says. While he couldn't supply the bank's name, he says it chose Openswan because the bank already had bought Linux-based kiosks and wanted to secure the links to its data center.

While there are many seeming advantages to open source code, there are also drawbacks. Blanc says documentation for OpenVPN was scattered across the Internet. If he has a problem, and he says he's had only few minor ones, he resorts to mailing lists. So far, the responses have been prompt and reliable.

Users are also at the whim of whoever is in charge of upgrading the code. Whereas commercial software vendors generally have release schedules and offer support for making upgrades, open source code changes are unpredictable. "I must upgrade often," Blanc says.

Bantoft says he has a list of upgrades and other improvements to make to Openswan, but with a staff of five at Xelerance, it's a constant struggle. The software is compatible with Red Hat Linux, but before it can ship with it he has to push through U.S. trade regulations limiting the shipment of encryption technologies.

Despite drawbacks, users seem satisfied. "I have yet to find anything substantial we've given up by using it,"'s Shippa says.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AstaroCheck Point Software TechnologiesCiscoGatewayJuniper NetworksMicrosoftNovellOpenBSDRed HatVIA

Show Comments