Cryptographic authentication of the Official OpenVPN Client for Windows

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
maltfield
OpenVpn Newbie
Posts: 2
Joined: Mon Mar 15, 2021 12:28 pm

Cryptographic authentication of the Official OpenVPN Client for Windows

Post by maltfield » Mon Mar 15, 2021 12:49 pm

Question: How do I download and cryptographically verify the official OpenVPN client for Windows?

Background: I'm a Linux user. I've been using OpenVPN for years in Debian, which is straight-forward. The below command not only installs the openvpn client, but it also does it securely by verifying that the apt repo's manifest was correctly signed by the repo's gpg key. So it's a simple and safe way to obtain the official OpenVPN binaries.

Code: Select all

sudo apt-get install openvpn
Enter the chaos of Windows package management.

My expectation is that for software not obtained via `apt`, I'd get the PGP key of the publisher (well-integrated into the Web-of-Trust), download the release, and download the release's signature (or manifest file's signature). But before I even get so far as to trying to find the keys and signatures, I can't even figure out what is the official OpenVPN client!?!

I quickly stumbled on two:

* https://openvpn.net/client-connect-vpn-for-windows/
* https://openvpn.net/community-downloads/

They are both available at the same domain (openvpn.net) and their latest release both came out in February 2021 (last month). They both are available for Windows. And neither page appears to acknowledge the other page and attempts to explain the difference between the two. Can someone tell me what is the difference between these two releases? What is the official OpenVPN client for Windows?

And, finally, can someone please link me to the documentation that describes the correct procedure for cryptographically verifying the client after download? This should describe how to get the official release-signing key (in more than one place, out-of-band) and how to use it to verify the installer.

If no documentation exists on how to verify the release's authenticity after download, then I'd like to open a bug report to create such documentation. If such documentation does exist, then I'd like to open a bug report to update the above two URLs with a link to the documentation.

In summary:
  1. What is the official OpenVPN client for Windows and where can it be downloaded?
  2. Where is the documentation on how to cryptographically verify the authenticity of the OpenVPN client for Windows' installer after download?
  3. Where do I go to create a bug report to update the download page on openvpn.net?
  4. Where do I go to create a bug report to update the documentation on openvpn.net?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Cryptographic authentication of the Official OpenVPN Client for Windows

Post by openvpn_inc » Wed Mar 17, 2021 4:34 pm

Hello maltfield,

You have a lot of questions so I'll first throw some information out there and then dive into each question to address them directly.

OpenVPN Connect v3 (and legacy OpenVPN Connect v2)
This one is our official commercial client used for OpenVPN Access Server and OpenVPN Cloud created and released by OpenVPN Inc. It is called OpenVPN Connect, and is available in version 3 and version 2 (legacy version). It is meant primarily for our commercial software but is compatible with most open source server configs as well:
* https://openvpn.net/client-connect-vpn-for-windows/

If you want to verify that this client is really the client you downloaded, first of all, the download is done via HTTPS from our download servers. So unless you break SSL/TLS security, you should be pretty sure you have the real file from us. But you can verify it further by doing an SHA256 hash on the downloaded file and comparing it to the SHA256 hash signature posted on that webpage. Before we place the file on our download servers we generate the SHA256 signature and posted that on our website which is a separate entity from our download servers. If the hash signature matches then it's pretty damn sure that you've got the real file. And if that's not enough you can right click the file and go into the properties of the file and go to the tab "Digital Signatures". If it shows the digital signature is okay and that it's signed by OpenVPN Inc.'s DigiCert EV (Extended Validation) Code Signing CA then confidence in this file being the real file is so high that it's practically impossible to be manipulated or fake.

OpenVPN community edition
This one is our official open source community OpenVPN client that is built, signed, and published, by the community leaders of the OpenVPN open source project. It is meant primarily for open source users and has the ability to run as a server as well as a client, but can also be used to connect to our commercial software. It also is capable of multiple simultaneous connections which our Connect v2 and Connect v3 clients are not capable of on purpose. Consider the community client as the client for power users, and Connect v3 as the client that should be used by people that need a simple good client. Anyway, this is the open source community OpenVPN client:
* https://openvpn.net/community-downloads/

If you want to verify that this client is really the client you downloaded, again, the download is done via HTTPS from our download servers. So again unless you break SSL/TLS security then you should be pretty sure it's the right file. But community also offers a separately downloadable GPG signature file that you use against the downloaded file to verify this file's digital signature. Since you're from Linux background I assume you already know how to verify with GPG, but if not, it's posted on our website here: https://openvpn.net/community-resources/sig/

Windows digital signature check
For both commercial and open source clients, Windows actually does a signature check by itself on digitally signed files. Otherwise you'll get a warning that the author of the file could not be verified or such. So both the commercial and open source clients are signed digitally so this will happen automatically for both clients. But you can additionally check the open source client with GPG signature as well, and you can check the commercial client with SHA256 signature as well, and manually verify the digital signatures as well.

Direct Q&A
Question: How do I download and cryptographically verify the official OpenVPN client for Windows?
For commercial OpenVPN Connect v2 and v3 clients, SHA256 signature + digital signature.
For open source OpenVPN program, GPG signature + digital signature.
Can someone tell me what is the difference between these two releases? What is the official OpenVPN client for Windows?
OpenVPN Connect v2 and v3 are the commercial clients that come with the OpenVPN Access Server and OpenVPN Cloud products and are client-only and allow only 1 connection, but have some features like SAML signin support and update notifcations that the open source client may not (yet) have. The OpenVPN GUI program is the Windows open source OpenVPN client+server program that can support multiple simultaneous VPN connections and is considered more for power users and most suitable for open source server implementations. You can read more about this here: https://openvpn.net/vpn-server-resource ... h-windows/
And, finally, can someone please link me to the documentation that describes the correct procedure for cryptographically verifying the client after download?
For open source OpenVPN programs: see https://openvpn.net/community-resources/sig/
For commercial OpenVPN Connect v2 and v3 client programs, use SHA256 hash method on the file and compare the signature with the one posted on the website. You can optionally look at the digital signature on the files.
If no documentation exists on how to verify the release's authenticity after download, then I'd like to open a bug report to create such documentation. If such documentation does exist, then I'd like to open a bug report to update the above two URLs with a link to the documentation.
You may make those suggestions to the community, either by mailing list or by using the trac open source bug tracking system. You can find that here: https://community.openvpn.net/openvpn/report
What is the official OpenVPN client for Windows and where can it be downloaded?
For our commercial products OpenVPN Access Server and OpenVPN Cloud, those clients are OpenVPN Connect v3 and the now legacy client OpenVPN Connect v2. Of those two OpenVPN Connect v3 is the recommended one. It's available from the frontpage of openvpn.net when you scroll down to the bottom. Here is the direct link: https://openvpn.net/client-connect-vpn-for-windows/
For our open source OpenVPN project it is OpenVPN GUI available from here: https://openvpn.net/community-downloads/
Where is the documentation on how to cryptographically verify the authenticity of the OpenVPN client for Windows' installer after download?
For open source OpenVPN programs: see https://openvpn.net/community-resources/sig/
For commercial OpenVPN Connect v2 and v3 client programs, use SHA256 hash method on the file and compare the signature with the one posted on the website.
Where do I go to create a bug report to update the download page on openvpn.net?
You may make those suggestions to the community, either by mailing list or by using the trac open source bug tracking system. You can find that here: https://community.openvpn.net/openvpn/report
Where do I go to create a bug report to update the documentation on openvpn.net?
You may make those suggestions to the community, either by mailing list or by using the trac open source bug tracking system. You can find that here: https://community.openvpn.net/openvpn/report

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply