I got an interesting email today, someone asked me why I often speak about OpenVPN and what’s wrong with the VPN software your VPN Service has to offer. First of all, the software which your VPN service might offer is already based on OpenVPN or it’s tap driver in order to create a tunnel interface. Second, most if not all external software logs and collects debug logs which are often hard to disable, some providers send this back in order to see some things, like which server you prefer and more.
VPN Client Software
The reason you need a software is to create a tunnel, basically, all VPN services using OpenVPN based drivers and protocols and building their own software around it. OpenVPN is open source and that’s the main reason why it’s preferred by the most VPN services, you can easier work with it and modify it.
Of course, you do not need any software/driver if you’re router natively supports OpenVPN but not every router supports that and even some aftermarket firmware have several weaknesses because you might lose your entire internet connection to all connected devices in case your VPN provider has some troubles because there is maybe no fallback integrated. A lot of firmware struggling with this because it’s not an easy task to integrate native OpenVPN support into the firmware and implement solutions which cover several scenarios ‘in case something happens’.
The original OpenVPN software basically offers the stuff you need an indicator (tray icon) which shows if you’re connected or not and some basic settings within the GUI, you also can install a console based client if you want to but that’s more for advanced users.
As you can see there is nothing much to configure, you set up your configuration files, connect to it and that’s it. The log which is created locally is more in case you like to see what’s happening in the background or in case you like to debug possible connection issue.
My Client Software offers more!
Several providers offering additional options within their GUI applications like a DNS leak protection, Mace or an Internet Kill switch.
- PIA Mace: Basically another name for ‘would you like to use our unknown adblocker list?’ It’s an adblocking list which private Internet Access offers.
- VPN Kill Switch: This blocks all communications (internet traffic) in case you lose the internet connection or in case you aren’t connected to the VPN server (e.g. while you boot or reboot your OS).
- Use small packets: Mostly only relevant in case you have troubles establishing a stable connection, this is for routers which don’t use a specific RFC.
- Debug Mode: This allows the VPN provider to see some information, however, keep in mind that this information is anonymous and that this isn’t a backdoor. It’s in order to see which server you prefer and such things in order to fix or improve the VPN service or servers, it’s not telemetry since it’s only been submitted in case there are troubles or if your VPN service explicitly requests it (usually once in a day to measure how fast their servers are or how ‘full’ they are, it doesn’t expose you).
- Leak protection (DNS): This ensures no one gets your IP address and blocks for example IPv6 traffic or WebRTC (depending on how your VPN service ‘determines’ leakage and which counter measurements they implemented).
So it seems the original OpenVPN software loses when it comes to features?
NO! Just because there no toggles or ‘nice’ GUI things doesn’t mean there no possibilities. The OpenVPN community is really big and still growing, there is a Wiki and all switches and configuration related things are explained over here.
So what are the problems with the GUI based clients which your provider use? Basically not much, if you struggle with reading than go ahead and use them but I recommend only the OpenVPN software/protocol because they already got a security audit.
Reasons to prefer OpenVPN client software:
- Smaller download size
- Open Source
- Fully documented
- It does it’s job same like other GUI based clients
- Kill switch functionality (if offered by your VPN provider), here is my example guide.
- Adblocking function (if offered by your VPN provider)
- No debug logs are sent away (some VPN providers don’t have an opt-out for this)
- It’s faster in download speed (depending on several factors)
- OpenVPN works the same on every OS, the client is maybe a bit different but it works the same. You can copy & paste the same OpenVPN configuration file and go for it, some OS might only need some adjustments because the way they handle network related things. E.g. iOS/Android (but some provider also providing separate ‘mobile’ optimized configuration to address this).
Reasons ‘against’ using the original software:
- Minimalistic and maybe not for beginners
- Your VPN provider doesn’t offer or provide a .openvpn configuration file
- No integrated update function (maybe gets integrated someday?)
- No graphical interface for eg. server latency or load
- No kill switch or adblocking function integrated
- Closed source (some providers want to change this in the future like PIA or OpenVPN but while writing this article most providers only offering closed source clients)
- The configuration files need to manually updated (in case it changes)
- Autoconnect is a bit more complicated to set up
As you can see it’s a close race but most people arguing now that adblocking functionality and a kill switch is important these days. Well, it’s half-way true but let me explain.
Not every provider offers such a function and these lists might break your sites you like to visit, as a workaround, some clients have an option to ‘report blocked content’. However, it’s unclear which filter list, such providers, using and if they not (at the end) making money with the findings you submit.
Pi-Hole or uBlock is better!
The problem is that your provider only offers a domain or DNS based list which means it blocks only the DNS request or the Domain but you might want additional stuff like cosmetical blocking, then use uBlock instead which allows you to pick elements which are bothering you. Same like Pi-Hole it uses open source filter lists and you could contribute to them and integrate your own findings or see what’s blocking your site while this isn’t possible with your VPN providers solution since the list is not visible to you.
PI-Hole is the next thing, for sure. The benefit is that you get an advanced interface and you can take direct control over all traffic, you set your Router to use the PI’s DNS and that’s pretty much it, the rest will be configured through the PI-Hole software, there bunch of tutorials and videos how you do this. Compared to uBlock it blocks every traffic globally in front of your router. So you won’t have to install uBlock or any other adblock on any of your devices connected to your router this is a big plus because your smart tv might offer no possibility to block telemetry or to install an adblocker solution. However, PI-Hole has only one weakness, it doesn’t offer any cosmetical blocking function, like uBlock, which means you can’t pick up yourself annoying ads up the same way like other blockers do but you can subscribe to such pre-made lists from e.g. fanboy.
I provide my own example configuration how you set up everything on your Pi-Hole over here.
A kill switch is important because it prevents data leakages e.g. in case you have a disconnect (which can happen) you would be unprotected and you’re real IP is visible. Another scenario is that whenever you reboot your OS you are exposed as long your VPN Client isn’t connected to a VPN server.
I agree that this is a critical thing, however OpenVPN hasn’t integrated any counter measurements for this because it’s difficult to implement and this is something the OS needs to taking care of. Sadly it’s more a philosophy thingy here.
That said it’s even for big players difficult to implement a good solution to solve this problem.
These problems are already fixed BUT the problem is there not reliable! For example, if Windows or Linux changes something on the OS due to an update or upgrades the client might need additional changes to address this. This makes it very hard to implement something which always (under any circumstances) make this working.
- Check your Windows or Linux firewall (iptables) and create a ‘tunnel’ manually here. There is a good tutorial given here.
- If you use a router and you’re connected directly ensure there’re fallbacks in case you’re VPN server or provider has a downtime. Some offering a fallback to your normal ISP or to connect to a Proxy/SOCKS.
You can setup a Windows kill switch with the Windows own firewall, so no other program is required.
Usually, only bad providers have separate options for this, a good provider doesn’t have any option for this because he doesn’t have any leakage even with the default configuration. Private Internet Access IPv6 leak protection basically does nothing than block IPv6 traffic and that’s it, it’s not a protection it’s just misleading and blocks it totally.
Some provider suffering (still) from the WebRTC IP leakage which exposes your whenever a service uses WebRTC (first discovered 2015 from torrentfreak). However, this is usually fixed on every modern browser, the rest should be fixed by your VPN provider – sadly there still exist some which suffering from this problem because they haven’t updated their server configuration files in order to fix this issue.
Why do I still recommend using only original OpenVPN Clients
OpenVPN is all you need, you get a driver which are been installed and the GUI has some minimalistic functions which is good enough. It doesn’t waste any resources and it doesn’t send any debug logs away. It’s all you need and just because it’s minimalistic doesn’t it’s less powerful.
If your beginner consider reading the Wiki pages of OpenVPN, there’re tons of examples and explanation given which is more than you usually need. It’s not a big deal to download a OpenVPN configuration file from your provider (if offered) and copy it into your OpenVPN configuration folder, takes you 2 minutes at best. The rest is mostly only ‘tweaking‘ and more optional.
Speed, it’s maybe another thing, I found no evidence what’s really causing it so I did not mention it above but from my personal experience the original software is faster. I only can speculate, maybe some VPN Client Software uses outdated drivers or sending telemetry away or using other implemented stuff which cripples your speed but I can guarantee that using ‘pure’ OpenVPN software/driver is when it comes to speed the best you can do, especially also because you can change it’s configuration in order to ‘optimize’ it, but that’s something you need to test on your own because every router and VPN provider is different here.
Trust, I simply trust the community lot more than the provider because more eyes are watching these projects and they might reveal lots of issues which then can be fixed. If you check Reddit and other bigger channels you see that reports and findings are important in order to improve every VPN service, without any feedback nothing can be fixed, I think that should be clear. Feedback is in general something which is priceless because your provider gets it for free and he can decide how he handles this information.