GUIDE

Custom vs. open source VPN clients

As any reader of our blog pages will know, we are huge fans of all things open source. While far from being a magic bullet, the fact that open source code is freely available for others to inspect and audit provides the best (and only) protection available against it containing malicious code, NSA backdoors, or who knows what else.

With proprietary closed source code on the other hand, there is absolutely no way to determine what it contains, so it comes down to a matter of trusting the company involved – something this post-Snowden world has demonstrated time and again is a very foolish thing to do.

Open source OpenVPN clients

OpenVPN is the only VPN protocol we really consider to be secure, and as generic open source OpenVPN clients are now available on all major platforms, there is really very little reason to consider anything else. These clients can use a VPN provider’s standard OpenVPN configuration files to connect via OpenVPN, even if the provider does not explicitly support OpenVPN on that platform.

The ‘official’ FOSS forks of OpenVPN on the major platforms are:

Windows (XP+) OpenVPN
Mac OSX Tunnelblick
Android (4.0+) OpenVPN for Android
iOS (6.1+) OpenVPN Connect
Linux Open Terminal and type ‘sudo apt-get install network-manager-openvpn’

The open source DD-WRT and Tomato router firmwares also have OpenVPN clients built-in.

Because open source OpenVPN clients require configuration files to be downloaded from a VPN provider and imported into the client, they are slightly more complicated to setup than most custom VPN clients, but there are plenty of detailed how-to guides available on how to do this (pretty near all VPN providers supply them), and minimal technical competence is required.

A bigger problem is that while these clients generally work very well, they lack the often very useful bells and whistles offered by custom VPN software.

Custom VPN clients

Almost all VPN providers will happily supply instructions and the configuration files needed for setting up their service using generic ‘stock’ OpenVPN clients, but many also supply their own custom clients (usually just wrappers over the stock open source OpenVPN code, although some base their clients on the also-open source SoftEther code).

In addition to being easy to set up, as the necessary config files are built into the client, many providers also add extra features, some (but not all) of which are very useful. The two most useful features found in custom VPN clients are:

  • VPN kill switch – this ensures that you are always protected by VPN when connected to the internet, as it kills your internet connection if your VPN connection drops. Some VPN kill switches are even more subtle, and will work on a per-app basis (fantastic for ensuring your BitTorrent client never downloads when you are connected to a VPN). Other kill-switch style solutions are available, but having this functionality built-in to the VPN client is very handy.
  • DNS leak protection – in theory your VPN provider should handle all DNS requests when connected via VPN, but sometimes either your computer or its servers can misroute the request so that it gets handled by default ISP instead. There are various things you can do to prevent DNS leaks, but having this functionality built into the client is definite bonus.

Although not without issues, some will also find the following features useful:

  • Configurable encryption – if a VPN provider offers variable levels of encryption, then configuring it using stock OpenVPN means manually editing configuration files (fun fun fun). Having the option built into the client is obviously easier, although it does beg the question of why the provider is not using maximum encryption anyway. Changing encryption settings also raises your profile on the internet, so if using this option then you should pick a setting and stick with it.
  • Port forwarding – port forwarding can be very useful when using VPN through a Firewall etc., but again it makes you more visible on the internet so should be used with caution. An exception is forwarding through TCP port 443, which is the same port used by standard HTTPS (https://) traffic. Routing VPN traffic through port 443 therefore hides the fact that you are using VPN, and as blocking port 443 effectively cripples the internet this is rarely done. It is therefore very effective way of bypassing restrictive firewalls (such as those in China).

Custom VPN clients therefore often offer some distinct advantages over vanilla stock OpenVPN, but the problem is, of course, that they are invariably not open source…

Does it matter?

In the case of VPN clients our personal view goes somewhat against our usual rabid support for open source. The thing is: your VPN provider has full access to your internet traffic anyway, as such is the nature of VPN – the encrypted tunnel only lasts between your computer and the VPN server – so your VPN provider can see everything that enters and leaves that tunnel at its end…

It therefore seems rather redundant to worry about the client, as you are putting full trust in your provider anyway! This is why it is so important to use a provider that you trust not to keep any logs of your activity, which it can always be compelled to hand over unless they don’t they actually exist.

Hopefully the OpenVPN development community will one day build features such as a kill switch and DNS leak protection into stock clients, but until then we feel that custom clients which actually provide useful features are worth using, because if your VPN is untrustworthy then you are screwed anyway…


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


2 responses to “Custom vs. open source VPN clients

  1. Isn’t the answer to this dilemma then to decouple the VPN bandwidth provider from the underlying open source software? There are plenty of _VPS_ providers out there that charge similar rates as VPN companies. You can just run your OpenVPN/SoftEther instance on that and set your own policies. Some VPS even throw in international POPs as part of the deal, so you can effectively make your tunnel destination anywhere in the world. And as for the so-called kill switch and leak protection, those are just group policy configurations set in the login script and maybe a little shell script on the client side. It’s not rocket science.

    1. Hi PacoBell,

      Well, using an open source OpenVPN client effectively decouples the VPN bandwidth provider from the underlying open source software, but you don’t get the bells and whistles that come with custom clients (creating these bells and whistles, as you say, is not rocket science, but they are not included in the basic open source clients that are available. I think we should also give AirVPN credit here for being the only provider to fully open source its custom client. As for running a VPS as your own private VPN service (see here for instruction on how to do this), you should be aware that it is not as private as using a third party provider and provides no protection when P2P downloading, as the VPS IP is linked to your real IP, so data entering and exiting the VPS IP can be easily traced back you (good VPN providers are designed to protect their client’s privacy, and have policies and practices in place to help ensure this e.g. keeping no logs, using shared IP’s, etc.)

Leave a Reply

Your email address will not be published. Required fields are marked *