What is OpenVPN, and how does it work?

OpenVPN is one of the most widely used and trusted VPN protocols in the industry. It has a strong reputation built on its robust encryption and proven security design, as well as its open-source code.

This guide explains how the OpenVPN protocol works, assesses its security, and compares it to other popular options available today.

Understanding the basics of OpenVPN

This section covers the fundamental concepts of OpenVPN, clarifying its role as a protocol, its availability, and how it differs from VPNs in general.

What does OpenVPN do?

Like other VPN protocols, OpenVPN creates a secure, encrypted connection between your device and a VPN server. This encrypted link functions as a private tunnel, preventing anyone, from your internet service provider (ISP) to malicious third parties, from monitoring your online activity.

Is OpenVPN free?

The OpenVPN protocol itself is free and open-source. The official project even provides a Community Edition that anyone can download and use at no cost.

However, to use the protocol, you need access to a configured OpenVPN server. You can set up your own server, but this requires technical knowledge about TLS certificates, networking, and firewall setup. For most users, it’s much easier and more reliable to use a VPN provider like ExpressVPN, which offers a global network of servers that are already configured for you as part of their paid service.

What is the difference between a VPN and OpenVPN?

A VPN (virtual private network) is a service or technology that creates a private, secure tunnel between your device and a VPN server over the internet. OpenVPN is one of the specific protocols used to build that tunnel. You can think of a VPN as a locked house and OpenVPN as a specific kind of lock used to secure that house.

For an even simpler breakdown, read our guide that provides a beginner-friendly introduction to VPNs.

How does OpenVPN work?

Below are the steps involved in establishing an OpenVPN connection.

Initiation

When an OpenVPN session begins, the client (for example, your device) contacts the VPN server. Both sides must agree on a protocol (UDP is typically preferred, with TCP as a fallback) and a port number (the default is 1194). This step lays the foundation for the secure tunnel that follows.

Authentication

Next, the client and server prove their identities to each other. OpenVPN normally uses digital certificates signed by a trusted Certificate Authority (CA). The client won’t connect unless the server presents a trusted certificate, and the server rejects any client without a valid one.

For extra protection, OpenVPN can also use extra checks like TLS authentication, which blocks unauthorized traffic before it reaches the server, or username/password checks.

Tunnel creation

After authentication, OpenVPN creates a secure tunnel between the client and server. Both sides exchange information to create a temporary session key, which is stored only in memory. This session key is then used to encrypt all traffic that passes through the VPN tunnel.

Encryption

Modern OpenVPN setups typically prefer 256-bit AES encryption for strong protection, and session keys are rotated regularly to ensure forward secrecy. This means even if a key were compromised, past traffic would remain secure.

Data transmission

Once traffic enters the VPN tunnel, it’s encrypted and sent to the server. The server decrypts the data and forwards it to its intended destination, e.g., a website. Since traffic passes through the VPN server, websites and services only see the server’s IP address instead of the user’s, helping protect privacy and anonymity online.

Is it safe to use OpenVPN?

OpenVPN is considered one of the most secure VPN protocols available today for several reasons.

Security audits and transparency

OpenVPN has undergone several security audits. While these audits have uncovered vulnerabilities from time to time, they have been addressed relatively quickly.

For example, a 2017 audit sponsored by the Open Source Technology Improvement Fund found two remote denial-of-service vulnerabilities that were promptly fixed in a subsequent release of OpenVPN. And in 2024, Microsoft researchers identified multiple medium-severity security vulnerabilities in OpenVPN. These vulnerabilities were patched out in version 2.6.10 of OpenVPN.

The biggest testament to OpenVPN’s transparency is the fact that it’s completely open-source. Anyone can access its GitHub to vet the protocol and inspect it for vulnerabilities.

Encryption standards

OpenVPN relies on the OpenSSL library for its cryptography, meaning it supports all the library’s ciphers to encrypt data in transit. The preferred option is 256-bit AES, but OpenVPN can also use other ciphers like ChaCha20-Poly1305. Older ciphers like Blowfish, DES, and 3DES remain available for compatibility, though they’re no longer considered secure.

For authentication and key exchange, OpenVPN supports algorithms like RSA, Diffie-Hellman, and Elliptic Curve. For data integrity, it typically uses SHA-2 family hashes (like SHA-256), though OpenSSL also provides newer or less common options like SHA-3, SM3, and Whirlpool.

Can OpenVPN track your activity?

The OpenVPN protocol itself does not track, store, or log any of your online activity. Its sole purpose is to establish and maintain a secure and private connection.

Whether any data is logged depends on the VPN service provider and its policies. Some VPNs may keep connection or usage records, while others follow strict no-logs policies. This makes it important to choose a trustworthy VPN with an independently audited no-logs policy like ExpressVPN.

Comparing OpenVPN with other VPN protocols

While OpenVPN is an excellent all-around choice, it’s not the only option available. The best VPN protocol for you depends on your specific needs, so it’s important to see how OpenVPN compares to the alternatives.

OpenVPN TCP vs. UDP

OpenVPN can run over two different internet transport protocols: TCP and UDP. UDP is recommended for optimal performance, but TCP might be preferred on restrictive networks, as it uses port 443 to mimic the HTTPS traffic that’s allowed on most firewalls.

What is TCP?

TCP (Transmission Control Protocol) is designed for reliability. It’s like sending a registered letter, meaning the recipient must sign to confirm delivery. If a letter isn’t received, it’s resent. This process ensures that every packet of data arrives in the correct order.

While TCP makes connections highly stable, the constant back-and-forth verification adds overhead, making TCP the slower of the two options. It’s best used when data integrity is critical, like for file transfers or web browsing.

What is UDP?

UDP (User Datagram Protocol) is designed for speed. It’s like sending a postcard: once you drop it in the mailbox, it just goes, with no confirmation that it arrives. Packets may arrive out of order, but the advantage is faster transmission. There’s no error-checking with UDP, so a packet isn’t resent if it’s lost in transit.

There’s much less overhead in UDP, since there’s no “handshake” or error checking required, leading to lower latency and faster performance. This makes UDP the preferred choice for activities where speed is more important than perfect data integrity, such as online gaming, video streaming, and voice calls.

OpenVPN vs. WireGuard

WireGuard is a much newer VPN protocol than OpenVPN. It’s also open-source, and one of its key strengths is a small codebase, with only 4,000 lines of code. Due to this, it’s much easier to audit, maintain, and inspect for vulnerabilities.

WireGuard is generally considered faster and more efficient than OpenVPN, making it an excellent choice for activities like gaming, streaming, and downloading large files. WireGuard is also simpler to configure, using a fixed suite of cryptographic tools: ChaCha20-Poly1305 for encryption and authentication and Curve25519 for key exchange.

While the simplicity can be beneficial, it does mean that WireGuard is less flexible than OpenVPN. Since OpenVPN supports various encryption methods available through the OpenSSL library, its configuration can be fine-tuned according to specific requirements. This makes it a preferred option in enterprise deployments.

OpenVPN vs. IKEv2

IKEv2 (Internet Key Exchange version 2) is another widely used protocol that uses IPsec for encryption. The main advantage of IKEv2 is its reliability on mobile devices; its support for the MOBIKE protocol lets IKEv2 maintain a stable VPN connection even as you switch from a Wi-Fi network to mobile data. Plus, it has minimal impact on a device’s battery life.

IKEv2 is generally considered faster than OpenVPN, but one downside is that it’s less effective on restrictive networks. IKEv2 uses UDP port 500, making it relatively easy to block. OpenVPN, on the other hand, runs on TCP port 443, which is much harder to restrict because it’s the port used for HTTPS traffic.

OpenVPN vs. ExpressVPN Lightway

Lightway is a modern VPN protocol built from the ground up by ExpressVPN. It was designed to be faster, more reliable, and more secure than older protocols. It's significantly more efficient than OpenVPN, with a lightweight Rust-based codebase that enables faster connection speeds and uses less battery power.

While OpenVPN is renowned for its security, Lightway was built with next-generation threats in mind. It uses the rigorously vetted wolfSSL cryptography library and includes post-quantum protection by default, shielding you from future advancements in code-breaking.

Following the same principles that made OpenVPN a trusted standard, ExpressVPN has also made Lightway transparent by making it open-source and available for anyone to inspect. What’s more, Lightway has cleared multiple independent audits by Cure53 and Praetorian.

OpenVPN vs. legacy VPN protocols

Compared to legacy protocols, OpenVPN is vastly more secure and reliable. Its strong encryption, open-source transparency, and reliable performance make it the superior choice.

• PPTP (Point-to-Point Tunneling Protocol): PPTP offers fast speeds, but this is only because it uses weaker encryption algorithms that require less computation. Plus, it has significant security vulnerabilities that make it easy to crack, meaning it’s not a great choice for securing your online activity.
• L2TP/IPsec (Layer 2 Tunneling Protocol): While L2TP provides security improvements over PPTP, these improvements add overhead that reduces connection speeds. Plus, L2TP itself doesn’t provide encryption and relies on IPsec to secure data.

It’s also worth highlighting that Microsoft has deprecated these legacy protocols owing to their various security issues.

How to set up OpenVPN on your device

To use OpenVPN, you can either configure it manually using client software and configuration files, or you can use a commercial VPN app that handles the entire process for you.

Manual configuration steps

Below are the steps to set up OpenVPN manually on your device using the GUI client available at OpenVPN’s official website. While using an existing VPN app that supports this protocol is much easier, manual configuration can be worthwhile if you want more control over your configuration.

The steps below cover how you can configure OpenVPN manually on Windows, but it’s just as easy to do so on macOS and Linux.

1. You’ll need .ovpn configuration files to start. For ExpressVPN, you can get these at the official website. Start by clicking My Account.
2. Use your credentials to log into ExpressVPN’s web portal.
3. Click the More option on the ExpressVPN web portal.
4. Choose Manual Configuration in the additional options.
5. On the right-hand side of the Manual Configuration menu, you’ll see a username and password under Setup. Copy and store these credentials somewhere secure.
6. Scroll down and click the server you want to connect to. This will download a .ovpn configuration file that will connect you to that specific ExpressVPN server. You can download as many files as you want.
7. Next, download OpenVPN’s GUI client from the official website.
8. Run the setup, click Install Now, and follow the steps to install it on your system.
9. Once installed, right-click the OpenVPN GUI shortcut on your desktop and click Open file location.
10. Navigate to the parent directory of your OpenVPN installation using the up arrow, or simply click OpenVPN in the folder path shown in the explorer.
11. Access the config folder in the OpenVPN directory.
12. Paste the .ovpn file you downloaded earlier in step 6 into the config folder.
13. After pasting the necessary .ovpn files, run the OpenVPN client by double-clicking the OpenVPN GUI icon. Once the OpenVPN icon shows in your taskbar, right-click it and click Connect. If you have multiple .ovpn files in your config folder, you’ll see each of the servers listed here. If not, you’ll only see a single connect button.
14. OpenVPN will ask you to provide a username and password to log in. Enter the credentials you saved earlier in step 5 and click OK to begin your connection.

Using a VPN app with OpenVPN protocol

A much simpler way to use OpenVPN is via a VPN app that supports the protocol. For instance, ExpressVPN has OpenVPN via both UDP and TCP.

1. Open the ExpressVPN app, tap the three lines at the top-left, and click on Options.
2. Click the Protocol option in the top navigation bar.
3. Choose OpenVPN - UDP or OpenVPN - TCP based on your requirements.
4. If you’re using Automatic as your protocol preference, you might see a dialog asking you to confirm the change. Click Change Anyway to switch to OpenVPN.
5. Connect to any server to establish a connection via the OpenVPN protocol.

Platforms supported by OpenVPN

One of OpenVPN's greatest strengths is its extensive platform compatibility. Its open-source nature has allowed it to be ported to a vast range of operating systems and devices, including Windows, macOS, iOS, Android, Linux, and even various routers, including ExpressVPN’s Aircove router.

It’s worth noting that OpenVPN’s free Community Edition GUI client is only available on Windows, Android, and Linux. For macOS, you can use a separate third-party client called Tunnelblick. That said, the command-line interface for OpenVPN is available for Windows and Mac, and it’s surprisingly simple to use. Note that there is an OpenVPN Connect app available for iOS, but this is primarily intended for use with OpenVPN’s business VPN solutions and doesn’t offer as many configuration options as the community client.

Another, more convenient option for most users would be to use an OpenVPN-supported VPN like ExpressVPN, which has native apps for Windows, macOS, iOS, Android, Linux, and various other platforms.

OpenVPN pros and cons

While OpenVPN remains one of the most trusted VPN protocols, its design comes with both strengths and drawbacks. Below is a breakdown of its key advantages and the main challenges users may encounter.

Advantages of OpenVPN

Key advantages of the OpenVPN protocol include:

• High security: OpenVPN uses the heavily vetted and audited OpenSSL library to implement encryption.
• Transparency: The open-source codebase can be reviewed by anyone and has cleared multiple independent audits.
• Highly configurable: The protocol supports both TCP for restrictive networks and UDP for faster speeds. Plus, its extensive configuration options allow fine-tuning for specific deployments.
• Extensive support: OpenVPN is compatible with nearly every major platform, including Windows, macOS, Linux, iOS, Android, and a wide variety of routers.

Limitations and challenges

Some limitations and challenges that come with using OpenVPN include the following:

• Complex setup: One downside to OpenVPN’s flexibility is that it adds complexity to the setup process. The vast array of configuration options can make setting up OpenVPN manually a challenging task and one that’s prone to errors.
• Slower speeds: Due to its larger codebase, OpenVPN is generally slower than more modern protocols like WireGuard and ExpressVPN’s Lightway.

Do you need to use OpenVPN?

Whether you need to use OpenVPN depends on why you need a VPN.

Who OpenVPN is best for

OpenVPN may be a good choice if:

• You need deployment flexibility: The array of configuration options in OpenVPN makes it worthwhile if you need to fine-tune various aspects of your VPN. This is among the key reasons why it’s a preferred protocol in enterprise environments.
• You’re dealing with restrictive networks: Using OpenVPN over TCP makes VPN traffic harder to restrict by routing it through port 443, which is the standard HTTPS port.
• You need broad device compatibility: OpenVPN’s extensive device support makes it worthwhile if you need to deploy a VPN across many different devices.

When to consider other protocols

Despite OpenVPN’s strengths, you might want to consider other protocols if you prioritize:

• Speed: For activities like streaming, gaming, or large downloads, a faster protocol like Lightway or WireGuard will likely provide a smoother experience.
• Mobile stability: Protocols like IKEv2 are superior if you regularly switch between Wi-Fi and mobile data on your phone.
• Simplicity: If you want simpler configuration and don’t want to worry about various settings, protocols like Lightway or WireGuard are easier to set up.