What's the advantage of OpenVPN over SSTP?

If considering Windows only environment, what's the advantage of introducing OpenVPN as the company VPN service, instead of Windows built-in protocols? Especially the new SSTP protocol already overcome the one of the weakness of PPTP, which may not go over firewall/NAT.

I'm wondering is there any reason not to use Windows integrated solution. The strength of the security can be an issue but I'm not sure how different they are (I know MS VPN was vulnerable but is it still?)

Thanks.


The availability of clients for OpenVPN is more wide than that of SSTP (at least, right now). I can buy an IP phone with an embedded OpenVPN client, for example. AFAIK, Microsoft didn't back-port the SSTP client to Windows XP (which, initially, they said they would), so that cuts off a large client-base. In contrast, though, SSTP doesn't require the installation of third-party software on supported client operating systems.

There are no per-client license fees with OpenVPN as there are with Microsoft's offering. (I won't offer my opinion on which specific usages need a Windows CAL and which doesn't... In some documentation Microsoft claims that a DHCP client needs a CAL, so I tend to give them a wide berth. If my janitor dusts around my Windows Server machine I probably need a CAL for them. The right place to find out about licensing is the software "manufacturer" anyway...)

The functionality built-in to the OpenVPN client to receive "pushed" routes is more flexible than Microsoft's VPN client (unless you use the CMAK, and that hasn't been reliable for me in practice).


The main Advantage of OpenVPN in a Win only environment is the use of UDP as underlying bearer since this avoids the 'TCP meltdown problem' see http://sites.inka.de/bigred/devel/tcp-tcp.html for more Info about TCP in TCP.

hth, cheerio Steve


Attention that unfortunatly SSTP (as of November 2011) will not work over a proxy server with authentication. This is documented, although not many realize it.

It is also possible for the network administrator for a non-authenticating proxy to detect SSTP headers and drop the connections. So the statement that it goes across any firewall, etc... is true with some reservations.

OpenVPN is capable to go over HTTPS on a proxy with authentication. It is much harder to block this traffic because it looks like normal "SSL", but it is not! It is possible with some package inspection on the first bytes of the contents to block those packets. OpenVPN in this mode looses the "UDP" performance gain, because OpenVPN would be working in TCP mode. So in this sense it is equal to SSTP.

For OpenVPN, on the server side, you need to have two public IPs if you also have a web server on port 443, this for the commercial edition. For the comunity edition it is possible to share the 443 port on the same IP, because the server detects non-OpenVPN protocol a redirects the traffic to a alternative web server (443). This only works in the Linux version of OpenVPN server.

On SSTP, it is possible to share the same IP/port 443, for both SSTP traffic and normal web server protected pages.

On SSTP there can be a SSL offloading device on the network before reaching the RRAS server. On OpenVPN, because the traffic is not really "true" SSL, i.e the openVPN protocol encapsulates a SSL payload, this is not feasible.

On OpenVPN community, you need to handle the KPI infrastructure, certificates, etc, which can be a harder learning curve some times... (on the community edition). On the commercial edition this task is made easier.

On OpenVPN commercial, the authentication can be integrated with LDAP (for instance on a AD). On community this is not possible (not completely sure, but almost!). The idea e more around client certificates; although possible to use simpler certificates schemes.

O SSTP, this is included obvious.

OpenVPN work on UDP mode with is very good, but then PPTP also works on UDP for the data channel (GRE protocol). Because the question is the comparison between SSTP and OpenVPN, lets just assume we are comparing TCP traffic.

So you see... there is not a better or worse... In my case I fought hard to choose one due to my functional requirments... and still not fully happy with the one I had to choose (SSTP), but fairly satisfied. I say this because if the network (hotel) blocks PPTP then SSTP can be used... this is handled automatically by the VPN client.

OpenVPN client has a similar fallback mechanism.

SSTP is already support by Linux, but the project seems to be in the initial stages.


PPTP is considered cryptographically broken and should not be used. It's not just a matter of key length, but of serious flaws in authentication and in Microsoft Point-to-Point Encryption (MMPE).

My own preference, from the standpoints of robust architecture, wide support, high security, reliable network traversal, and solid performance, is OpenVPN.