Subscription services running OpenVPN sharing network resources? Imagine, if you can run and share over the air broadcasting, cable and network services sharing resources, how much do you save? If everybody’s resources can be easily tapped to run your own services, what will be the impact? We now have the technology to do that. It allows you to stream live videos side by side with the Internet and also other medias. Of course this is an idea, and you need to tweak it to produce the final product. This proof of concept is real cause there is a great demand for such real world applications, to spur the next innovations. I can easily find the pros and cons of a technology or a product, its limitations with a roadmap of future developments and its combinations with other technologies, to develop a proof of concept, but not to produce the final product, as God does not allow me to take away other people’s ricebowl, everyone has it’s unique gifts and mine is as stated.
– Contributed by Oogle.
OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).
OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.
OpenVPN uses the OpenSSL library to provide encryption of both the data and control channels. It lets OpenSSL do all the encryption and authentication work, allowing OpenVPN to use all the ciphers available in the OpenSSL package. It can also use the HMAC packet authentication feature to add an additional layer of security to the connection (referred to as an “HMAC Firewall” by the creator). It can also use hardware acceleration to get better encryption performance. Support for PolarSSL is coming in version 2.3
OpenVPN has several ways to authenticate peers to each another. OpenVPN offers pre-shared keys, certificate-based, and username/password-based authentication. Preshared secret key is the easiest, with certificate based being the most robust and feature-rich. In version 2.0 username/password authentications can be enabled, both with or without certificates. However to make use of username/password authentications, OpenVPN depends on third-party modules. See the Extensibility paragraph for more info.
OpenVPN can run over User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) transports, multiplexing created IPsec ESP tunnels on a single TCP/UDP port (RFC 3948 for UDP). It has the ability to work through most proxy servers (including HTTP) and is good at working through Network address translation (NAT) and getting out through firewalls. The server configuration has the ability to “push” certain network configuration options to the clients. These include IP addresses, routing commands, and a few connection options. OpenVPN offers two types of interfaces for networking via the Universal TUN/TAP driver. It can create either a layer-3 based IP tunnel (TUN), or a layer-2 based Ethernet TAP that can carry any type of Ethernet traffic. OpenVPN can optionally use the LZO compression library to compress the data stream. Port 1194 is the official IANA assigned port number for OpenVPN. Newer versions of the program now default to that port. A feature in the 2.0 version allows for one process to manage several simultaneous tunnels, as opposed to the original “one tunnel per process” restriction on the 1.x series.
OpenVPN’s use of common network protocols (TCP and UDP) makes it a desirable alternative to IPsec in situations where an ISP may block specific VPN protocols in order to force users to subscribe to a higher-priced, “business grade,” service tier.
OpenVPN offers several internal security features. It runs in userspace, instead of requiring IP stack (and therefore kernel) operation. OpenVPN has the ability to drop root privileges, use mlockall to prevent swapping sensitive data to disk, enter a chroot jail after initialization and apply a SELinux context after initialization.
OpenVPN runs a custom security protocol based on SSL and TLS. OpenVPN offers support of smart cards via PKCS#11 based cryptographic tokens.
OpenVPN can be extended with third-party plug-ins or scripts which can be called at defined entry points. The purpose of this is often to extend OpenVPN with more advanced logging, enhanced authentication with username and passwords, dynamic firewall updates, RADIUS integration and so on. The plug-ins are dynamically loadable modules, usually written in C, while the scripts interface can execute any scripts or binaries available to OpenVPN. In the OpenVPN source code  there are some examples of such plug-ins, including a PAM authentication plug-in. There also exists several third party plug-ins to authenticate against LDAP or SQL databases such as SQLite and MySQL. There is an overview over many of these extensions in the related project wiki page for the OpenVPN community.