OpenVPN is a flexible open source, software-based VPN product. It is an affordable component that helps to secure IT network infrastructure. However, deployment of OpenVPN on its own is certainly insufficient to secure an IT network infrastructure; other actions mentioned and referred to on this site must be taken to ensure that the protection offered by OpenVPN actually holds.
OpenVPN-NL is a version of OpenVPN that is modified to include as many of the security measures required to operate in a classified environment as possible. This includes a number of hardening patches, but also improvements in documentation to ease evaluation.
The trigger for the OpenVPN-NL project was the fact that many Dutch ministries, including the Ministry of Defence, have expressed their interest in using OpenVPN. The project is funded from interdepartmental resources.
Dutch federal government agencies that process classified ("gerubriceerde") information are required to protect this information using solutions that have been marked fit for purpose by the NBV. (This requirement originates from the VIR-BI regulation.)
The NBV is a subsidiary of the AIVD (the Dutch General Intelligence and Security Service), which is an evaluation agency that evaluates the protection quality of IT security products and solutions. (In NATO terminology, the NBV is the NLNCSA.)
An evaluation by the NBV covers many aspects, including cryptographic aspects, source code inspection and supply chain control. The OpenVPN releases as found on the openvpn.net website, elsewhere on the net or on the installation disk of various operating systems, though possibly of great protection value, cannot get an approval of the NBV. The two most important reasons are:
- The product allows many insecure configurations, such as turning off encryption, or the use of outdated cryptographic functions in security critical places.
- The trust to be put in the supply chain of the software is not warranted. The Dutch government simply cannot verify whether all the versions and releases out in the wild are legitimate (i.e. secure and uncompromised) versions of OpenVPN. Please note that this list of reasons is not exhaustive.
To address these issues, NBV has commissioned Fox-IT to create a special Dutch version of OpenVPN, dubbed OpenVPN-NL. Fox-IT has stripped and hardened the product, and has set up a controlled distribution channel on this site. Fox-IT, supported by the NBV, will act as the maintainer and distributor of OpenVPN-NL for at least the next few years.
OpenVPN-NL meets all the evaluation criteria of the NBV for handling classified information up to the level of "Departementaal VERTROUWELIJK" (similar to the "NATO RESTRICTED" classification). To safely use OpenVPN-NL, one shall deploy OpenVPN-NL in compliance with the conditions set in the deployment advisory ("inzetadvies"), published by the NBV.
The evaluation of OpenVPN-NL by the NBV has verified the protection offered by the product against breaches of confidentiality and integrity. The evaluation has not addressed availability (e.g. robustness) of the VPN tunnel provided by OpenVPN-NL.
Differences between OpenVPN and OpenVPN-NL
|Distribution channel||Various means||This site, offline fingerprints available|
|Certification||None||NLNCSA criteria Level 2, "Departementaal VERTROUWELIJK" (Dutch) if deployed in compliance with deployment advisory ("inzetadvies")|
|Functionality||Full||Many insecure and less secure options stripped, hardened, otherwise unchanged|
|Cryptographic library||OpenSSL||mbed TLS|
|Default encryption and message digest||BF-CBC / AES-256-GCM, SHA1||AES-256-CBC / AES-256-GCM, SHA256 (no other options allowed)|
|Accepted groups for (EC)DH||DH: 1024-8192 bits, ECDH: any supported curve||DH: 2048-4096 bits, ECDH: P-256, P-384|
|Accepted moduli for RSA||1024-8192 bits||1024-4096 bits (using less than 2048 bits is advised against, and requires explicitly setting "--tls-profile legacy")|
Among the notable differences between OpenVPN and OpenVPN-NL is the cryptographic library. Correct SSL functionality is essential for the protection that OpenVPN offers. OpenSSL is a large and complex library. mbed TLS is a compact and modular library, which is small enough for a fairly in-depth evaluation. Therefore, in the OpenVPN-NL package, we exchange OpenSSL for mbed TLS. This change does not change functionality; the two libraries (OpenSSL and mbed TLS) are mutually compatible.
Apart from these differences, many things are the same. The functionality is nearly identical. OpenVPN and OpenVPN-NL are mutually interoperable, in the sense that a client of the one can connect to a server of the other (given that a crypto suite is chosen which is available in both products). OpenVPN and OpenVPN-NL are mutually compatible, in the sense that configuration files can be freely exchanged (given that the options are available in both products). Both OpenVPN and OpenVPN-NL and underlying libraries are licensed under GPLv2.
OpenVPN-NL is fully compatible with the OpenVPN protocol, in particular no incompatibilities have been intentionally added.
The OpenVPN-NL project is in line with the Dutch government's ambition to encourage the use of open standards and open source products within the Dutch government.
The NBV does not wish to take a stance in the debate about the pros and cons of open source products. However, the NBV acknowledges the quality of OpenVPN-NL, which could never have been accomplished without the excellent work of the OpenVPN open source community. Fox-IT and the NBV will conform to the rules that apply to open source, such as applicable to OpenVPN. All source code of OpenVPN-NL is made available on this website.
Moreover, Fox-IT has made a large number of general improvements to the OpenVPN code base, such as modularisation of the crypto and adding a fair amount of documentation (Doxygen). Not only have these improvements been contributed back to the OpenVPN maintainers, Fox-IT has also invested time and effort in helping the contributions to make their way into the OpenVPN code base. In this respect, the Dutch government is a contributor to the OpenVPN project. Fox-IT has performed the work that amounts to this contribution.
The NBV and Fox-IT are dedicated to openness on OpenVPN-NL. We invite and encourage everybody interested to look at the inner working of the product, and report any weaknesses or vulnerabilities if found. Of course, we have done all we can to minimize the chances of such problems remaining in OpenVPN-NL.
Although many NCSAs and similar organisations worldwide have looked at open source, and many governments worldwide use open source security products, OpenVPN-NL is as far as we know one of the very few open source products worldwide that meets the strong criteria of the RESTRICTED level. There is currently no open source product which meets the evaluation criteria of a higher level (e.g. CONFIDENTIAL or SECRET).
While OpenVPN-NL is targeted for use by Dutch governmental bodies, it is available for anybody who wants to use it. No registration is required for download or use. A low-volume mailing list is available and open to all users to be informed of updates and security issues.
OpenVPN-NL is available free of licence costs. One should be aware that deployment and maintenance of any product requires knowledge and manpower, neither of which is free. Neither NBV nor Fox-IT provides free support or consultancy on OpenVPN. The commitment of NBV and Fox-IT is essentially limited to keeping the product up to date, and providing the information which can be found on this site.