Cryptographic authentication of the Official OpenVPN Client for Windows
Posted: Mon Mar 15, 2021 12:49 pm
Question: How do I download and cryptographically verify the official OpenVPN client for Windows?
Background: I'm a Linux user. I've been using OpenVPN for years in Debian, which is straight-forward. The below command not only installs the openvpn client, but it also does it securely by verifying that the apt repo's manifest was correctly signed by the repo's gpg key. So it's a simple and safe way to obtain the official OpenVPN binaries.
Enter the chaos of Windows package management.
My expectation is that for software not obtained via `apt`, I'd get the PGP key of the publisher (well-integrated into the Web-of-Trust), download the release, and download the release's signature (or manifest file's signature). But before I even get so far as to trying to find the keys and signatures, I can't even figure out what is the official OpenVPN client!?!
I quickly stumbled on two:
* https://openvpn.net/client-connect-vpn-for-windows/
* https://openvpn.net/community-downloads/
They are both available at the same domain (openvpn.net) and their latest release both came out in February 2021 (last month). They both are available for Windows. And neither page appears to acknowledge the other page and attempts to explain the difference between the two. Can someone tell me what is the difference between these two releases? What is the official OpenVPN client for Windows?
And, finally, can someone please link me to the documentation that describes the correct procedure for cryptographically verifying the client after download? This should describe how to get the official release-signing key (in more than one place, out-of-band) and how to use it to verify the installer.
If no documentation exists on how to verify the release's authenticity after download, then I'd like to open a bug report to create such documentation. If such documentation does exist, then I'd like to open a bug report to update the above two URLs with a link to the documentation.
In summary:
Background: I'm a Linux user. I've been using OpenVPN for years in Debian, which is straight-forward. The below command not only installs the openvpn client, but it also does it securely by verifying that the apt repo's manifest was correctly signed by the repo's gpg key. So it's a simple and safe way to obtain the official OpenVPN binaries.
Code: Select all
sudo apt-get install openvpn
My expectation is that for software not obtained via `apt`, I'd get the PGP key of the publisher (well-integrated into the Web-of-Trust), download the release, and download the release's signature (or manifest file's signature). But before I even get so far as to trying to find the keys and signatures, I can't even figure out what is the official OpenVPN client!?!
I quickly stumbled on two:
* https://openvpn.net/client-connect-vpn-for-windows/
* https://openvpn.net/community-downloads/
They are both available at the same domain (openvpn.net) and their latest release both came out in February 2021 (last month). They both are available for Windows. And neither page appears to acknowledge the other page and attempts to explain the difference between the two. Can someone tell me what is the difference between these two releases? What is the official OpenVPN client for Windows?
And, finally, can someone please link me to the documentation that describes the correct procedure for cryptographically verifying the client after download? This should describe how to get the official release-signing key (in more than one place, out-of-band) and how to use it to verify the installer.
If no documentation exists on how to verify the release's authenticity after download, then I'd like to open a bug report to create such documentation. If such documentation does exist, then I'd like to open a bug report to update the above two URLs with a link to the documentation.
In summary:
- What is the official OpenVPN client for Windows and where can it be downloaded?
- Where is the documentation on how to cryptographically verify the authenticity of the OpenVPN client for Windows' installer after download?
- Where do I go to create a bug report to update the download page on openvpn.net?
- Where do I go to create a bug report to update the documentation on openvpn.net?