Last Edit: Feb 28, 2006 at 12:48 (4,305.76 days ago)created by Steve Gibson

Our HowTo Guide Goals

Virtual private network (VPN) technology provides many different types and scales of solutions, from linking a pair of individual computers to interconnecting multiple large corporate networks. GRC's guide for OpenVPN focus upon the goal of securing the mobile user's local network usage environment, and providing secure access to one or more remote computers, or networks, across the public Internet:

OpenVPN provides state-of-the-art "end-to-end" authentication and security by completely securing the entire "path in red" shown in the diagram above.

GRC's OpenVPN configuration provides the following specific (and often additional) benefits:

 Strong local/mobile network usage security

Travelling users generally have very little control over the security of the local network into which they connect their machines. Whether its a wireless hotspot, a hotel, a friend's network or other foreign environment, their mobile computers are subjected to any lack of security and malicious activity that may be present. And all of those situations are readily exploited high-risk network environments:

Wireless hotspots are notoriously insecure because network traffic is easily "sniffed" right out of the air. Even wired hotel networks are susceptible to several types of Ethernet network exploitation which allows all of the hotel's network traffic to be monitored, intercepted, and recorded. And since you can never be sure of the security of any foreign network you may be visiting — even that of a well meaning and trusted friend — travelling users are typically subjected to the potential insecurity of whatever network they plug into.

The  "Full Enclosure"  VPN Tunnel

Every one of these vulnerabilities is eliminated by establishing a strongly authenticated and encrypted "full enclosure" VPN tunnel between the mobile computer and a "home base" computer or network:

Such a tunnel extends the well-managed security of your own home base network across the Internet, through any and all intervening networks, hotspots, WiFi zones, etc. to fully enclose and protect the remote machine.

Although your remotely located mobile computer may be
connected to a hostile network, separated by thousands of
miles of uncontrolled Internet, the result is exactly as if your
computer were plugged directly into your home base's LAN.

Note that this "full enclosure" VPN tunneling approach is a unique feature of GRC's VPN configuration solution. It shuts down and eliminates all local network traffic to effectively remove the remote machine from the potentially hostile and insecure local network to which it is directly connected. The only traffic allowed into and out of the mobile computer is what travels through the encrypted VPN tunnel connection.

 Internet eavesdropping security

All data to and from the remote machine is heavily encrypted with state-of-the-art ciphers that are automatically and dynamically periodically re-keyed on the fly to defeat any and all attempts at "sniffing" and eavesdropping.

 "Man in the middle" protection"

OpenVPN's use of SSL/TLS connections using a unique, private and individual certificate authority provides "strong authentication" of each endpoint. No one can intercept a remote user's connection then pretend to be their server. No one can pretend to be a remote user in order to connect to someone else's server. And no one can splice themselves into a connection in order to simulate each endpoint to the other. A connecting user can be certain that they are directly connecting to their server without the possibility of anyone listening in, and a server can be sure that a known and authorized user is connecting.

 Full remote computer/network access with no middlemen

OpenVPN provides a secure connection to your home base computer and network without going through and needing to trust any commercial "middleman" services. Services like "Goto My PC" are very easy to setup. But they are not free and they require that access to your computers is entrusted to others. OpenVPN provides only you with total access to your home base systems.

 Full access to ALL network resources

GRC's configuration uses an "Ethernet bridging" rather than an "IP routing" approach. This is identical to plugging your machine into your local LAN hub or switch — there is no difference. So any and all network resources that are available locally will also be available remotely.

 "Network Neighborhood" browsable

The Ethernet bridging solution means that Windows' "Network Neighborhood" is remotely present and fully browsable. Your remote machine will automatically see your network printers and other machines without requiring any special effort or configuration on your part.

 Unrestricted access to the Internet

The Ethernet bridging solution also means that your remote access is not limited to the single machine you connect to, nor even to your local LAN. You may also seamlessly use your local LAN's Internet connection for eMail, web browsing, file sharing, voice communications, or any other Internet activity.

 Bypasses any local network restrictions

Since OpenVPN's encrypted tunnelling technology prevents any middlemen from eavesdropping on the tunnel's traffic, the VPN inherently bypasses any and all possible Internet content protection or Internet access restrictions which may be imposed by the local Internet provider. You can do anything within the tunnel and no one can possibly know.

 Firewall friendly solution

GRC's configuration is fully firewall friendly allowing properly configured personal firewalls to remain up, running, and protecting their respective systems.

 Multiple redundant VPN connection options

GRC's configuration provides for accepting incoming connections on many different ports over either UDP or TCP protocol. Since mobile users typically have very little control over the configuration of their remote host network, the provision of many different and varied ways of "getting out" to the Internet and "getting in" to the remote home base network greatly diminishes the chance of being blocked from any remote VPN access.

Note, also, that since OpenVPN is an SSL/TLS VPN solution which does not use any traditional IPSEC, PPTP or L2TP ports and protocols, the troubles associated with traditional VPN blocking and routing are sidestepped.

 Quick and simple remote target selection

Thanks to the free OpenVPN GUI client solution written and provided by Mathias Sundman, choosing among connection ports, protocols, and remote servers is as easy as selecting from a pop-up menu. If you have multiple OpenVPN servers at several "home bases", connection to them can be easy established and broken using the OpenVPN GUI for Windows.


The OpenVPN guide pages that follow will take you step-by-step through the process of creating your own super-secure and private VPN system with every characteristic and feature described above.

For a brief summary of our guide's pages,
please read our Howto guide overview.




We encourage you to read through these pages in sequence (many are short):

1  Intro and background 
8  Create virtual NICs 
15  Dynamic DNS Service 
2  Howto guide goals  
9  Win 2000 bridging 
16  Testing the system 
3  Howto guide overview 
10  Win XP bridging 
17  HotSpot VPN Service 
4  Routing vs bridging 
11  FreeBSD bridging 
18  OpenVPN Alternatives 
5  Plan before you begin 
12  GRC's config files 
19  Howto guide FAQ 
6  Install OpenVPN client 
13  Secure certificates 
7  Install OpenVPN server 
14  Port forwarding 
20  Send us feedback 

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Feb 28, 2006 at 12:48 (4,305.76 days ago)Viewed 10 times per day