OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

The New Cloudflare VPN: What It Is & Isn’t

There's been some talk around the Internet about the recently launched Cloudflare VPN, which claims to be a stronger, more modern VPN – namely because it's built on the WireGuard protocol. It’s true that as an open source project, WireGuard is doing some exciting things. But the way in which it’s being compared to the OpenVPN protocol isn’t quite painting the whole picture. The OpenVPN project has grown over two decades, and the maturity and functionality of the protocol reflects that.

This article in particular compares WireGuard to OpenVPN and claims that the overall source code of OpenVPN is closer to 600,000 lines of code, which is an enormous amount — and an unfair comparison. The open source OpenVPN version is about 70,000 lines of codes, which includes support for two different cryptographic libraries; which means you are not bound to OpenSSL cryptographic library alone. It adds much more advanced authentication possibilities, like username/password, two factor authentication, certificate-based authentication, and a flexible plug-in and scripting interface for much more advanced integrations.

WireGuard as it is today has a much smaller set of authentication methods and has much more reduced integration interfaces compared to OpenVPN.  This is one of the reasons why OpenVPNs code base is more comprehensive. This does not mean WireGuard is not fully featured as a VPN solution alone, but for more demanding VPN users this can a big concern for their setup.

OpenSSL code is also widely used in a lot of applications on the Internet, not only for OpenVPN. The vast majority of web sites use the same OpenSSL code base. In addition, OSTIF — who arranged one of the third party code audits of OpenVPN in 2017 — has also ensured OpenSSL has gone through a similar code audit. OpenVPN’s audit proves its security and effectiveness, and it’s been used by major enterprises because it’s known to have the highest level of security. The WireGuard code base Cloudflare uses for its Warp service is too fresh to have had a chance the be audited by independent third-party reviewers.

Most importantly, since both OpenVPN and WireGuard are open source projects, they are both focused on collaboration. Developers from both projects are discussing challenges related to providing solid and efficient open source based VPN solutions. We are all interested in ensuring that end users have the best solutions at hand, which can only be truly achieved by working in the open and collaborating together. We believe in open source development, which is about connecting and creating solutions together —  so when the article pits these projects against each other, it misses the point of what open source is all about: collaboration and sharing. Yes, the WireGuard and OpenVPN open source projects can be seen as competitors, but both projects can also build on each others’ innovation. Which is why OpenVPN welcomes new projects like WireGuard: we each have independent and different goals based on our users’ demands, but that doesn't mean we need to compete.

OpenVPN, Inc. is committed to improving the performance of OpenVPN. OpenVPN, Inc. has also spent time implementing the third generation OpenVPN code base, making it easier to implement the OpenVPN protocol in a lot more products than before — as well as further improving the overall performance and speed.

The Cloudflare VPN might have a lot of flash now — and it is an interesting product. The challenge is simply that their new VPN service is fairly restricted in what it can provide in additional features. While protecting the Internet traffic on various hot-spots and insecure networks is a valid use case, we are concerned Cloudflare's reimplementation of the WireGuard code has not reached maturity yet.

Editor’s note: A previous version of this blog post included content that may have been misconstrued; we have updated it accordingly.

Share