81

Interestingly I have not found any good search results when searching for "OpenVPN vs IPsec". So here's my question:

I need to set up a private LAN over an untrusted network. And as far as I know, both approaches seem to be valid. But I do not know which one is better.

I would be very thankful if you can list the pros and cons of both approaches and maybe your suggestions and experiences regarding what to use.

Update (Regarding the comment/question):

In my concrete case, the goal is to have any number of servers (with static IPs) connected transparently to each other. But a small portion of dynamic clients like "road warriors" (with dynamic IPs) should also be able to connect. The main goal is however having a "transparent secure network" run on top of the untrusted network. I am quite a newbie so I do not know how to correctly interpret "1:1 Point to Point Connections" => The solution should support broadcasts and all that stuff so it is a fully functional network.

Matthias Braun
  • 205
  • 1
  • 8
jens
  • 991
  • 1
  • 9
  • 10
  • 2
    You sholud specify whether you need a site-to-site "persistent" VPN tunnel or a solution for many clients to connect remotely to one site. It makes a difference in the answer. – rmalayter Nov 17 '10 at 14:16
  • 2
    Update: I have found an quite interesting article. Maybe the article is biased? In summary the article is saying IPSec is much faster!? http://www.enterprisenetworkingplanet.com/netsecur/article.php/3844861/OpenVPN-Is-Too-Slow-Time-to-Consider-IPSEC.htm – jens Nov 17 '10 at 17:13

7 Answers7

31

I have all of the scenarios setup in my environment. (openvpn site-site, road warriors; cisco ipsec site-site, remote users)

By far the openvpn is faster. The openvpn software is less overhead on the remote users. The openvpn is/can be setup on port 80 with tcp so that it passes at places that have limited free internet. The openvpn is more stable.

Openvpn in my environment does not force policy to the end user. Openvpn key distribution is a little harder to do securely. Openvpn key passwords are up to the end users (they can have blank passwords). Openvpn is not approved by certain auditors (the ones that only read bad trade rags). Openvpn takes a little bit of brains to setup (unlike cisco).

This is my experience with openvpn: I know that most of my negatives can be alleviated through either configuration changes or process changes. So take all my negatives with a bit of skepticism.

Leo
  • 1,008
  • 1
  • 8
  • 13
  • 2
    Nice comment about the auditors; would agree with their reading habits ;) Just tell them it uses the industry standard TLS protocol with AES CBC 128 bit encryption and they will be scared off ;) – reiniero Mar 11 '12 at 11:56
  • I have a hard time taking the "by far faster" argument put forth in many answers. Encryption overhead for AES surely must be negligible. – user239558 Mar 21 '13 at 14:52
  • @user239558: IPSec encapsulates packets twice though, so the overhead is doubled in comparison with OpenVPN. – jupp0r May 21 '13 at 13:07
  • 4
    @jupp0r this is wrong. IPsec causes an overhead of 66B (20B IP, 8B UDP, 38B ESP) with NAT traversal enabled. OpenVPN causes 69B overhead (20B IP, 8B UDP, 41B OpenVPN hdr). – tobias Nov 21 '13 at 09:08
  • 1
    Old reply, but I used OpenVPN "bare" (ie.: no encryption), "weak" (64-bit), and "strong" (AES256-bit), and there is like a 1ms difference between them. I.e.: Nothing. ||| I did my test on a single thread VPS machine at Vultr, which is of course not a scientific test. But the bottom line is the same. If you use any kind of Xeon (or virtualize on a Xeon), you will see no difference. Of course, as speed goes up, this changes. It's recommended to use 128-bit AES, or Intel sped-up AES if you have so much bandwidth coming through. – Apache Aug 22 '17 at 17:46
18

One key advantage of OpenVPN over IPSec is that some firewalls don't let IPSec traffic through but do let OpenVPN's UDP packets or TCP streams travel without hindrance.

For IPSec to function your firewall either needs to be aware of (or needs to ignore and route without knowing what it is) packets of the IP protocol types ESP and AH as well as the more ubiquitous trio (TCP, UDP and ICMP.

Of course you might find some corporate environments the other way around: allowing IPSec through but not OpenVPN, unless you do something crazy like tunneling it via HTTP, so it depends on your intended environments.

zymhan
  • 1,351
  • 1
  • 14
  • 30
David Spillett
  • 22,534
  • 42
  • 66
  • 6
    If the firewall issue comes up, IPSec can be put into NAT-traversal mode, which will use packets on UDP/4500 instead of ESP (protocol 50). – MadHatter Dec 13 '12 at 07:52
  • 3
    This is not a benefit of OpenVPN. IPsec can also operate with an additional UDP header as MadHatter pointed out. A problem of OpenVPN is that it is no standard (RFC), there are very less products (e.g. routers) out there supporting OpenVPN. For example you wont get a Cisco router supporting OpenVPN. The only benefit I can see of this proprietary protocol is that it is easy to set up. – tobias Nov 21 '13 at 09:02
13

OpenVPN can do Ethernet-layer tunnels, which IPsec cannot do. This is important for me because I want to tunnel IPv6 from anywhere that has only IPv4 access. Maybe there is a way to do this with IPsec, but I haven't seen it. Also, in a newer version of OpenVPN you will be able to make Internet-layer tunnels which can tunnel IPv6, but the version in Debian squeeze can't do that, so an Ethernet-layer tunnel works nicely.

So if you want to tunnel non-IPv4 traffic, OpenVPN wins over IPsec.

Kenyon
  • 249
  • 2
  • 7
10

OpenVPN is

much easier to administer set-up and use in my opinion.. Its fully transparent VPN, which i love...

IPsec is more a "professional" approach with many more options regarding classical routing within vpns..

If you want just a point - to - point vpn (1-to-1), i would suggest using OpenVPN

Hope this Helps :D

Arenstar
  • 3,592
  • 2
  • 24
  • 34
9

I had some experience with managing dozens of sites around the country (NZ) each connecting to the Internet via ADSL. They had been operating with IPSec VPN going to a single site.

The customers requirement changed and they needed to have two VPNs, one going to the main site the other going to a failover site. The customer wanted both VPNs to be active at the same time.

We found that the ADSL routers in use were not coping with this. With one IPSec VPN they were fine but as soon as two VPNs were brought up the ADSL router rebooted. Note that the VPN was initiated from a server inside the office, behind the router. We got technicians from the supplier to check the routers and they sent many diagnostics back to the vendor but no fix was found.

We tested OpenVPN and there were no problems. On consideration of the costs involved (replace dozens of ADSL routers or change VPN technology) it was decided to change to OpenVPN.

We also found diagnostics easier (OpenVPN is much clearer) and many other aspects of management overhead for such a large and widespread network was a lot easier. We never looked back.

Steve
  • 91
  • 1
  • 1
8

I use OpenVPN for a site-to-site VPN and it works great. I really love how customizable OpenVPN is for each situation. The only issue I've had is that OpenVPN isn't multithreaded, therefore you can only get as much bandwidth as 1 CPU can handle. The testing I've done, we've been able to push ~375 MBits/sec across the tunnel with no problems, which is more than enough for most people.

  • 4
    As more anecdotal evidence on CPU use by OpenVPN: when I performed a few tests on a netbook I found that OpenVPN could almost (but not quite) saturate a 100Mbit/sec connection even with only a single-core Atom CPU. – David Spillett Nov 17 '10 at 14:33
8

Open VPN site-to-site is much better over IPSEC.We have a client for whom we installed Open-VPN in an MPLS network which worked fine and supported faster and more secure encryption such as Blow-fish 128 bit CBC. At another site which is connected via public IP we used this connection as well in in low bandwith such as 256kbps/128kbps.

However let me point out that IPSec VTI interfaces are now supported in Linux/Unix. This allows you to create routable and secure tunnels much in the same way as OpenVPN site to site or GRE over IPSec.

Botto
  • 81
  • 1
  • 1