As any reader of our website will know, we are huge fans of all things open source. While far from being a magic bullet, the fact that open source code is freely available for others to inspect and audit provides the best (and only) protection available against it containing malicious code, NSA backdoors, or who knows what else. With proprietary closed-source code, on the other hand, there is absolutely no way to determine what it contains.
Therefore, it comes down to a matter of trusting the company involved. Something this post-Snowden world has demonstrated time and again is a very foolish thing to do.
Open source VPN Client
Despite stiff competition from IKEv2, OpenVPN remains the only battle-tested secure VPN protocol.
Generic open source OpenVPN clients are now available on all major platforms. Therefore, there is very little reason to consider anything else.
These open source VPN clients can use a VPN provider’s standard OpenVPN configuration files to connect via OpenVPN. Even if the provider does not explicitly support OpenVPN on that platform.
The ‘official’ FOSS forks of OpenVPN on the major platforms are:
- Windows XP+ - OpenVPN GUI
- macOS - Tunnelblick
- Android - OpenVPN for Android
- iOS - OpenVPN Connect
- Linux - network-manager-OpenVPN
The open source DD-WRT and Tomato router firmware also have OpenVPN clients built-in.
Open source OpenVPN clients require configuration files to be downloaded from the VPN provider and imported into the client. Therefore, they are slightly more complicated to set up than custom VPN clients.
Fortunately, there are plenty of detailed how-to guides available on how to do this, and minimal technical competence is required.
The more significant problem is that while these clients generally work very well, they lack additional features. Additional features, bells, and whistles that are usually available in custom VPN software.
Another alternative to OpenVPN is SoftEther. SoftEther is also a free open source, cross-platform, multi-protocol VPN client and server. However, it's less widely known and has been tested less for vulnerabilities. If you wish to give it a go, then, you can use the SoftEther VPN client for free - VPNGate.
Custom VPN Client
Almost all VPN providers will happily supply instructions and the configuration files needed for setting up their service using generic ‘stock’ OpenVPN clients, but many of them also provide their own custom clients.
Usually, these are just wrappers over the stock open source OpenVPN code, although some base their clients on SoftEther code, which is similarly open source.
In addition to being easy to set up, as the necessary config files are already in the client. Many providers also add extra features, most (but not all) of which are very useful. The four most valuable features found in custom VPN clients are.
VPN Kill Switch
This ensures that your internet connection is always safe. As the name suggests, it kills your internet if your VPN connection drops. Some VPN kill switches are even more subtle and will work on a per-app basis. This is fantastic for ensuring your BitTorrent client never downloads when you aren't using a VPN.
Other kill-switch style solutions are available, but having this functionality built-in to the VPN client is very handy.
DNS Leak Protection
In theory, your VPN provider should handle all DNS requests when connected via VPN. Unfortunately, sometimes either your computer or its servers can misroute the request. Thereby your ISP will handle it - this is a DNS leak.
There are various things you can do to prevent DNS leaks, but having this functionality built into the client is a definite bonus.
If a VPN provider offers variable levels of encryption, then configuring it using stock OpenVPN means manually editing configuration files. Having the option in the custom client is obviously easier. Although it does beg the question of why the provider is not using maximum encryption by default.
Changing encryption settings also raises your profile on the internet. Therefore, if using this option then you should pick a setting and stick with it.
Custom vs Open source VPN Clients Recap
In the case of VPN clients, our personal view goes somewhat against our usual rabid support for open source. The thing is: your VPN provider has full access to your internet traffic, anyway.
The encrypted tunnel only lasts between your computer and the VPN server. Therefore, your VPN provider can see everything that enters and leaves that tunnel at its end.
It, therefore, seems somewhat redundant to worry about the client, as you are putting full trust in your provider, anyway! This is why it's essential to use a provider that you trust not to keep any logs of your activity. Logs, which it can't hand over if it doesn't exist.
Hopefully, the OpenVPN development community will one day build features such as a kill switch and DNS leak protection into stock clients. However, until then, we feel that custom clients actually provide useful features that are worth using.