OpenVPN VS IPSec



  • Opinions please? Which is better? Which one is more secure? Which one is more stable? Any input welcome????



  • Define better.

    Both are secure, as long as you configure them sensibly. Practically speaking, use whichever has the best support from your client base. I personally like OpenVPN for the simple fact that it works nicely on port 443/TCP, so as long as you can connect to HTTPS servers you can reach your VPN (though UDP is generally a better default choice).



  • Is it better to have a VPN accelerator to make OpenVPN work quicker? I hear Openvpn is only restricted to one physical processor and its not multi threaded. Will that change?



  • You'd have to ask the OpenVPN developers about the future of OpenVPN.

    For any VPN solution an accelerator should reduce the CPU load, but whether or not it would make the VPN quicker depend on your hardware and bandwidth. If you're already bandwidth limited then an accelerator won't help you. If you're CPU limited then it may help you, depending on how CPU bottlenecked you are.



  • Could we say that IPsec only allows traffic on OSI layer 3 or higher and OpenVPN allows traffic on OSI Layer 2 or higher?
    This would make it possible to use IPX/SPX or other protocols through the OpenVPn tunnel.

    Please correct me if I'm wrong!

    I am personally using OpenVPN, too, because I can run it on port 443/tcp which is often allowed on firewalls.
    Further the Export utility package on pfsense for OpenVPn is a great tool and makes it really easy to export configs to many clients.



  • @Nachtfalke:

    Could we say that IPsec only allows traffic on OSI layer 3 or higher and OpenVPN allows traffic on OSI Layer 2 or higher?
    This would make it possible to use IPX/SPX or other protocols through the OpenVPn tunnel.

    Please correct me if I'm wrong!

    Actually many IPsec VPN links pass L2 traffic using L2TP/IPsec
    http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol#L2TP.2FIPsec
    (a very popular combination, thanks to some brain-dead Microsoft protocols)

    PS: LOL how come you remembered IPX/SPX – I hadn't heard of it in 15 years ...



  • @Nachtfalke:

    Could we say that IPsec only allows traffic on OSI layer 3 or higher and OpenVPN allows traffic on OSI Layer 2 or higher?
    This would make it possible to use IPX/SPX or other protocols through the OpenVPn tunnel.

    Please correct me if I'm wrong!

    I am personally using OpenVPN, too, because I can run it on port 443/tcp which is often allowed on firewalls.
    Further the Export utility package on pfsense for OpenVPn is a great tool and makes it really easy to export configs to many clients.

    What is typically called "IPSec" runs at L3.  OpenVPN can run in "tap", which is L2, or "tun", which is L3.  Some devices do not support "tap".  IPSec can be run at L2 if you do L2TP+IPSec but I don't believe that's supported in pfSense at the moment.


  • Rebel Alliance Developer Netgate

    IPsec has better third party support.

    OpenVPN is easier to use, more likely to punch out of random remote networks, and less prone to have problems with renegotiation.

    You can do L2 or L3 on either one. IPsec can do transport mode and encrypt anything between the WAN IPs, including some other tunneling protocol that does L2 such as GIF. OpenVPN has tun mode for that, which is much easier to deal with and easier to find client support for of course. :-)

    I prefer OpenVPN anywhere I can use it. Especially now that there are clients for Android and iOS that don't require root/jailbreak.