What is OpenVPN? And what are the best OpenVPN clients?

In this article, we explain what OpenVPN is and list the important aspects of this encryption protocol. We will also list the five best OpenVPN clients in 2019 so you can stay secure online.

What is OpenVPN?

OpenVPN is an open-source, Virtual Private Network (VPN) encryption protocol. It is recognized, industry-wide, as the most secure Virtual Private Network (VPN) encryption protocol.

As well as being extremely secure, OpenVPN highly customizable and can be implemented in a number of different ways. OpenVPN encryption consists of a data and control channel. The control channel is there to handle key exchange whereas the data channel encrypts the VPN user's web traffic.

Although this is the most secure encryption protocol, OpenVPN relies on certain critical factors, and unless VPNs get every vital component of the protocol right, the security of the whole encryption protocol comes crashing down.  These components are as follows:

  • The Cipher - A cipher is the algorithm that a VPN uses to encrypt the data. Encryption is only ever as strong as the cipher that the VPN protocol uses. The most common ciphers that VPN providers use are AES and Blowfish.
    Blowfish has been around since 1993. It is a cipher that has been cracked on a number of occasions and is not considered watertight in terms of security. It uses weaker keys than AES, but its main drawback is its 64-bit block size which is why it struggles to encrypt large files.
    Advanced Encryption Standard (AES) is a more modern form of encryption. AES has to be a minimum of 128-bit for it to be secure. Here at ProPrivacy.com, we generally prefer the 256-bit implementation. However, 128-bit AES is perfectly secure (and interestingly actually has a stronger key schedule).
  • Encryption channels. OpenVPN uses two channels the data channel and the control channel. The components for each one are as follows: Data channel - cipher + hash authentication. Control channel - cipher + TLS handshake encryption + hash authentication + whether perfect forward secrecy is used (and how).
  • Handshake encryption.  This is used to secure the TLS key exchange.  RSA is usually used, but DHE or ECDH can be used instead and also provide PFS.
  • Hash Authentication. This uses a cryptographic hash to verify that data has not been tampered with. In OpenVPN, it is usually done using HMAC SHA, but if an AES-GCM cipher is being used (instead of AES-CBC) then the GCM can provide the hash auth instead. 
  • Perfect Forward secrecy - PFS is a system in which a unique private encryption key is generated for each session. It means that each Transport Layer Security (TLS) session has its own set of keys. That's why they're referred to as “ephemeral keys” – they are used once only - and then they disappear.

As a result, OpenVPN encryption is only ever as strong as its weakest point, which is why OpenVPN must meet certain minimum requirements. The  minimum settings we recommend for OpenVPN connections are:

Data channel: an AES-128-CBC cipher with HMAC SHA1 has authentication. If an AES-GCM cipher is used then addition authentication is not required.

Control channel: an AES-128-CBC cipher with RSA-2048 or ECDH-385 handshake encryption and HMAC SHA1 hash authentication (see notes about ASES-GCM above). Perfect forward secrecy may be provided by any DHE or ECDH key exchange.

The best OpenVPN clients

We have listed the best OpenVPN clients below. These services all implement OpenVPN encryption to the highest standard and also have custom OpenVPN clients, making them extremely easy to set up.

1. NordVPN

  • Pricing

    From $3.49 / month
  • Available on

    • Windows
    • MacOS
    • Android
    • iOS
  • Features

    • Netflix
    • iPlayer

NordVPN is undoubtedly a very fully-featured service. The fact that it is based in Panama and keeps no logs at all is also a big draw for those who care about privacy. Its software looks good, and works well. Speed performance is now very impressive.

And a three-day free trial, plus a 30-day money-back guarantee give you plenty of opportunity to ensure that everything works for you as it should.

NordVPN uses the following encryption settings for OpenVPN connections; Data channel: an AES-256-CBC cipher with HMAC SHA256 hash authentication. Control channel: an AES-256-CBC cipher with an RSA-2048 handshake and HMAC SHA256 data authentication. Perfect Forward Secrecy (PFS) is provided by a DHE-4096 key exchange. This is a very strong setup.

NordVPN permits torrenting, works with all major streaming services (including US Netflix and BBC iPlayer), and has servers in 58 countries. It even throws in a full smart DNS service for free! What you get with NordVPN is a very fully featured, privacy-friendly VPN service that is also very fast.

2. PrivateVPN

  • Pricing

    From $1.89 / month
  • Available on

    • Windows
    • MacOS
    • Android
    • Linux
    • iOS
  • Features

    • Netflix
    • iPlayer

This Swedish VPN service provides fantastic OpenVPN implementation and a zero logs policy. What's more, it's a favorite among consumers, who only have good things to say about it. The price is superb considering what you get. The VPN is fully featured and unblocks services that many VPNs can't (Netflix US, BBC iPlayer). Customer care is available 24/7.

Reliability is excellent with this trusted VPN. The software is available for all platforms. What's more, it's a dream to use and works extremely efficiently. Servers are located in over 50 countries and PrivateVPN adds more servers regularly. This VPN keeps impressing and is definitely upwardly mobile. With a seven-day free trial and a 30-day money-back guarantee, you have no reason not to test this VPN.

3. ExpressVPN

  • Pricing

    From $6.67 / month
  • Available on

    • Windows
    • MacOS
    • Android
    • Linux
    • iOS
  • Features

    • Netflix
    • iPlayer

ExpressVPN is a superb service that implements OpenVPN to a very high standard - AES-256 cipher with RSA-4096 handshake and SHA-512 HMAC hash authentication and perfect forward secrecy (PFS). That means the OpenVPN implementation well surpasses our minimum standards. In addition, it has a watertight privacy policy and keeps no usage logs. IP addresses are available in 94 countries, and all of the servers on ExpressVPN's network provide fantastic speeds for streaming in HD.

Our ExpressVPN review shows why their software is popular for all platforms and is extremely easy to use. In addition, that software includes all the important features you would expect from a top-of-the-range VPN - DNS leak protection, stealth mode, and a kill switch. This reliable and trusted VPN has users all over the world. It has proven it can keep up with the needs of an ever growing client base: not something many VPNs can do. With ExpressVPN, reliability is formidable and stable. With fantastic OpenVPN encryption, this service will protect your privacy both on public WiFi and at home. It's also perfect for unblocking anything! Finally, it has a 30-day money-back guarantee to allow you to test the service without risk.

4. IPVanish

  • Pricing

    From $5.20 / month
  • Available on

    • Windows
    • MacOS
    • Android
    • iOS

IPVanish is a US-based provider that implements OpenVPN above minimum standards. Although it isn't quite as strongly implemented as the VPNs above, it does have perfect forward secrecy and is both private and secure. Where this VPN shines is in terms of speeds. It has servers in over 60 countries and all of those servers are super-duper-fast. That makes it perfect for people who want to do data-intensive tasks while being protected with OpenVPN encryption.

This VPN keeps zero logs, which makes up for it being based in the US. In terms of customer care, it isn't quite as good as the VPNs above because help is only available in US business hours. However, this VPN is fully featured, will protect you at home and on public WiFI, and is as fast as they come! Furthermore, it has a seven-day money-back guarantee, so that you can test it for yourself to see just how quickly it compares to other services!

5. VPNArea

  • Pricing

    From $2.99 / month
  • Available on

    • Windows
    • Android
    • iOS
    • MacOS
    • Linux
  • Features

    • Netflix
    • iPlayer

This Bulgarian provider is a real all-rounder. It has brilliantly implemented OpenVPN encryption with PFS and a zero logs policy. Servers in over 60 countries provide fast connections that are perfect for streaming in HD. Customer care is both friendly and efficient - this VPN really cares about its users.

The software is fully featured with DNS leak protection and a kill switch. In addition, it is available for all popular platforms and is extremely easy to use. With so much on offer and watertight privacy, this VPN is well worth a try - so why not test it using the 14-day money-back guarantee?

Is OpenVPN safe to Use?

Yes, OpenVPN is safe to use. However, it is possible to identify OpenVPN encrypted traffic using Deep Packet Inspection (DPI). DPI can be performed at the ISP level on behalf of the government.

As a result, in countries where VPN use is blocked using ISP-level firewalls it is essential that your VPN can disguise OpenVPN traffic as regular HTTPS. This is usually done by routing OpenVPN traffic over port 443 to disguise it as regular HTTPS. 

Obfuscation can also be achieved via other methods including Stunnel, Obfsproxy, or XOR. These have varying ways of concealing VPN use and bypassing ISP firewalls (all which are considered more robust than OpenVPN over port 443)

Thus to be secure in a country where OpenVPN is illegal (Egypt, China, Russia, Iran, for example) it is essential to check that your VPN has one of the latter mentioned obfuscation methods before you subscribe. This is because OpenVPN over port 443 can be spotted with even modest DPI, and a more robust form of cloaking is needed.

Why OpenVPN over other VPN protocols?

There are several VPN encryption protocols out there. These include the following:

  • Point-to-Point Tunneling Protocol (PP2P) - which is now considered outdated and insecure)
  • Layer 2 Tunneling Protocol (L2TP)
  • Internet Protocol Security (IPsec). This is an authentication protocol that needs to be paired with a tunneling suite to make it suitable for VPN encryption purposes. IPsec is usually combined with L2TP to make L2TP/IPsec or with IKEv2 to make IKEv2/IPsec . It is worth noting that this commonly used auth method cannot exist on its own without being paired with a tunneling suite. Also, L2TP/IPsec is secure enough for most stuff, but the Snowden papers showed it can be cracked by the NSA. 
  • Secure Socket Tunneling Protocol (SSTP)
  • Internet Key Exchange version 2 (IKEv2).

All the protocols mentioned above are secure (apart from PPTP, which should be avoided for privacy purposes). However, they simply can’t match the privacy that the king of VPN encryption protocols (OpenVPN) provides. 

OpenVPN is the best because it is secure and fast enough for streaming and other such tasks (especially if you stick to OpenVPN UDP). However, it is also worth mentioning that it is generally the slowest VPN protocol. 

However, OpenVPN has been proven to be secure, which means it cannot be penetrated by anyone trying to snoop on your data. In fact, when implemented to our minimum standards or above (the ones in this guide are all implemented in excess of our minimum standards) it cannot even be penetrated by government intelligence agencies.

What are OpenVPN tunnels

A VPN "tunnel" is the name given to the encrypted connection between a device and the VPN server. When a VPN user's traffic is encrypted and "tunneled" to a VPN server, the user's ISP is unable to detect the content of the traffic. This means the ISP is unable to analyse any of your data as it passes through its servers. This is how the VPN provides digital privacy.

It is not just ISPs either. Local network administrators in workplaces, schools, on public WiFi, landlords - and even the government - are unable to monitor traffic thanks to the encryption "tunnel" provided by the VPN software.

OpenVPN SSL VPN (Secure Sockets Layer Encryption)

The OpenVPN protocol makes use of Secure Sockets Layer Encryption (SSL). This is a popular method for encrypting data between a computer and the server it is connected to. Specifically, it makes use of the TLS protocol and the OpenSSL library. 

This means you can configure OpenVPN to run on any port, making it possible to use OpenVPN to get around firewalls. By running OpenVPN TCP over port 443, OpenVPN traffic is disguised. This is because TCP port 443 is used for regular SSL traffic (https). This makes it very difficult for ISPs to detect OpenVPN use. This is often referred to as “stealth mode.”

It is worth noting that this is only one method of concealing the use of a VPN. Other popular methods include Stunnel and Obfsproxy. In addition, some VPNs such as ExpressVPN and VyprVPN have their own proprietary cloaking features, which are known to work extremely well for getting around firewalls such as the great firewall of China.

Setting up OpenVPN 

Setting up and using OpenVPN can be done in one of two ways. Let's take a closer look:

Custom OpenVPN Clients

The easiest method is by subscribing to a VPN that has custom VPN software with native OpenVPN functionality. We have listed the best OpenVPN clients above, all of which implement OpenVPN to the highest standard.

Open Source OpenVPN Clients

The second method is by using config files provided by the VPN provider (.ovpn files) and a third-party OpenVPN client. The developers of the OpenVPN protocol also produce an open-source client that anybody can use on any platform. In addition, there are other third-party OpenVPN clients available such as OpenVPN connect and OpenVPN for Android.

These third-party clients are a bit more tricky to set up and are often missing extra features such as a killswitch. If you want to use a third-party client, you will be able to follow a setup guide on your VPNs website. However, on the whole, we recommend you stick to the custom client if you can.

OpenVPN Compatibility

All the VPNs in this guide have been selected because they provide OpenVPN on all popular platforms. Let's take a closer look:

Android VPN OpenVPN

If you want to use one of our recommended OpenVPN VPNs on an Android device simply ensure you download the correct client from the VPN's website. Alternatively, you will be able to find the OpenVPN client on the Google Play store. After you have downloaded the VPN software to your Android device - you can log in using the credentials you inserted when you subscribed.

If you do want to use a third-party client for Android we recommend OpenVPN for Android. Alternatively, you can get custom Android VPN apps that will already have open VPN implemented 

OpenVPN for iPhone

OpenVPN for iOS is a bit rarer than on the other platforms. Apple makes it harder to implement OpenVPN, which is why IKEv2 is generally the encryption of choice on iOS devices. OpenVPN is only currently available on iOS using the OpenVPN Connect  (third party) app.

As long as your favorite VPN provides .ovpn config files you can install the app from the iTunes store and use it. Please follow your VPN's setup guide to download the config files and setup the OpenVPN Connect client. Check out this OpenVPN Connect review for more details. Also, if you want a list of the best VPN service for iPhone, check out our best iPhone VPN article.

Windows VPN OpenVPN

All of the VPNs that we have recommended in this guide have excellent Windows clients with built-in OpenVPN functionality. For this reason, all you will need to do is subscribe, download the windows client, select OpenVPN in the settings, and connect to the VPN. If you want to know more information about using a VPN with Windows, then take a look at our Windows VPN guide.

If for any reason you do want to use a third-party client on Windows we recommend: OpenVPN.

OpenVPN for Mac

As with iOS, it is possible that you will need to use a third-party client to connect to OpenVPN on a Mac. The very best OpenVPN providers do implement OpenVPN on their Mac clients, so as long as you stick to one of the VPN's higher in this list you will be fine. If you are a Mac user and you want more information about using a VPN, take a look at our Mac VPN guide. 

However, it is not hard to set up OpenVPN using a third-party client because your VPN will have a setup guide to help you do so. You will want to use Tunnelblick as this is the best third party client for Mac OSX. If you use Apple TV, check out our VPN for apple tv guide for more information.

Using an OpenVPN Router

Another option is to use an OpenVPN router. Some routers come with an OpenVPN client built in that can be set up to work with a VPN of your choice (using .ovpn config files). 

A VPN router is extremely handy because it means that you don't have to connect every single device in your house to the VPN separately. As soon as the router is connected to the VPN: all the devices in your home are automatically protected by the OpenVPN encryption. 

What Can I Do with an OpenVPN VPN?

Strong OpenVPN encryption guarantees your privacy.  That means you are free to access any content you want online. VPN users don’t need to worry about nosy ISPs, governments, corporations, advertisers, and WiFi hackers. They won't be able to detect what you're doing online. In addition, you can get around government-imposed restrictions and censorship.

With a VPN, geo-restrictions have no power over you. You can access online services and websites that are supposed to be inaccessible in your country. You can watch foreign TV streams and international sports competitions. If you are an Expat, a VPN can be a very useful tool, as you are able to access websites from back home. In the end, there's no limit to what you can do online with a VPN, especially when you're safe in the knowledge that you have the very best privacy protection in place: OpenVPN encryption.

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. Ray is currently rated #4 VPN and #3 internet privacy authority by Agilience.com.

6 Comments

  1. Hillary

    on March 21, 2017
    Reply

    Hi, is their any possible way which i can setup a free openvpn service on windows 7? I've looked into to vpn book and tbh they look a little shady so id rather not take the chance but is their any way at no cost? weather its off a website or setting it up myself, please get back to me at your earliest convenience. Thank you in advance.

    1. Douglas Crawford replied to Hillary

      on March 22, 2017
      Reply

      Hi Hillary, Is something like this what you are looking for?

  2. Pepe

    on February 28, 2017
    Reply

    How does private tunnel open VPN fair?

    1. Douglas Crawford replied to Pepe

      on February 28, 2017
      Reply

      Hi Pepe, Please check out Thomas' Private Tunnel Review.

  3. Linda

    on January 13, 2017
    Reply

    Can Express VPN be used to stream movies, videos or TV on an Amazon fire Stick?

    1. Douglas Crawford replied to Linda

      on January 13, 2017
      Reply

      Hi Linda, Not directly, as the Amazon Fire TV stick does not a have VPN client built-in (and its impossible to install one on a non-rooted device). - You can. however, share a VPN connection with your desktop/laptop PC, or connect via a VPN router. ExpressVPN itself has instructions for doing these here - ExpressVPN also throws in a free Smart DNS service, which you could use instead of a regular VPN. See here for instruction on how to set this up - just replace the DNS settings with those provided by ExpressVPN. - A more extreme solution is to root your TV stick. You will then be able sideload any regular Android VPN app. Please see here for instructions.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

Large brand with very good value, and a budget price

The fastest VPN we test, unblocks everything, with amazing service all round

Longtime top ranked VPN, with great price and speeds

One of the cheapest VPNs out there, but still a good service