OpenVPN: TLS-Based VPN Architecture
Study how OpenVPN uses TLS for control channel and configurable ciphers for the data channel.
OpenVPN Two-Channel Architecture
OpenVPN uses two separate channels: the control channel and the data channel. The control channel handles authentication, session establishment, and configuration exchange using TLS. The data channel carries actual VPN traffic encrypted with a symmetric cipher negotiated through the control channel. This separation allows OpenVPN to leverage the full TLS ecosystem for key management.
Control Channel: TLS for Key Negotiation
The OpenVPN control channel runs a full TLS session. Both sides authenticate using X.509 certificates signed by a shared CA. TLS provides the key exchange, certificate validation, and negotiation of data channel cipher parameters. Because TLS supports ECDHE, the control channel provides perfect forward secrecy: data channel keys cannot be recovered from a captured session even with the CA key.
All lessons in this course
- IPsec: IKEv2, ESP, and AH Protocols
- WireGuard: ChaCha20 and Curve25519 VPN
- OpenVPN: TLS-Based VPN Architecture
- Comparing VPN Protocols: Security and Performance