The more distributed your devices or employees are, and the more valuable your data, the more critical it is that your data transmissions are encrypted and secure. You want your devices and users to have access to network resources without leaving the door open to hackers. That’s where IPSec and OpenVPN come in. These protocol suites are two of the most common solutions for creating a VPN. In IoT, OpenVPN is an ideal solution for facilitating remote access to an IoT device from another device, such as when a support engineer needs to use their laptop to connect to a device in the field. IPsec, however, provides secure encryption of the IoT device’s data and facilitates remote access to the device from an application. In this article, we’ll examine both solutions and evaluate the differences. Let’s start by looking at what these protocols are designed to accomplish: creating a VPN. A VPN is a Virtual Private Network, which authorized users and devices can use to securely access company resources through public or private networks. It creates an encrypted tunnel from one network to another, and anyone outside the VPN can’t see it. Think of the data packets you send between devices as physical packages. Using a VPN is like having your courier put your package in a lockbox with a different label on it, and only the intended recipient will have the key. It takes more work to secure packages this way, but it ensures that if the wrong person grabs one, they can’t get what’s inside.What is a VPN?
If your employee works from home or their favorite coffee shop and uses a VPN to access company applications and servers, neighbors, roommates, or other coffee shop patrons can’t see what they’re doing or intercept and manipulate transmissions.
In IoT, businesses often have thousands of connected, distributed devices that need to interact with network resources, often through disparate networks. Operators may also need to remotely access individual devices to troubleshoot problems and push updates. A VPN allows your various IoT deployments to securely communicate with your applications and infrastructure from anywhere. Since many IoT devices lack the computing power to handle advanced features like encryption (which a VPN provides), businesses may use an IoT gateway that connects to a VPN to secure and facilitate communication between local IoT devices and other network entities.
Now let’s look at the two main ways to create a VPN.
What is IPSec?
IPSec stands for Internet Security Protocol, and it includes three protocols for securing network communications:
- Authentication Headers (AH) use a shared key to verify the identity of a device when it sends a transmission, then uses a checksum to ensure the data packet hasn’t been altered.
- Encapsulating Security Payloads (ESP) encapsulates the data packet, and in a VPN, it even encapsulates the header and creates a new one, so no one can see any of the original packet without the encryption key.
- Internet Security Association and Key Management Protocol (ISAKMP) defines how two network entities will communicate, establishing how long they’ll transmit, how they’ll encrypt the data, and what keys they’ll use.
Together, these protocols encrypt data packets before they’re transmitted, and verify the packet’s integrity. Using an “anti-replay” feature, Authentication Headers can also combat a common Denial of Service tactic known as a replay, where a hacker repeatedly duplicates authorized data packets. By adding a sequence number to the Authentication Header, IPSec can recognize when a data packet has already been received and reject duplicates.
Notably, IPSec has two modes: tunnel mode and transport mode. Only tunnel mode creates a VPN. With tunnel mode, IPSec is “always on,” creating a site-to-site VPN connection that enables all IP addresses from one side to talk to all IP addresses on the other side. At emnify, our IPSec connections generate a private shared key on setup.
What is OpenVPN?
OpenVPN is an open-source solution that can use either User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) for data transmission. By default, OpenVPN uses 256-bit encryption to protect your data, but if that’s overkill, it can be configured to use 128-bit encryption instead. Since the protocol is open source, OpenVPN is constantly being improved by a global community that looks for bugs, finds fixes, and adds capabilities.
In IoT, OpenVPN is essentially an “on demand” point-to-point VPN. Users need either a username and password or authentication token to access the VPN, and the protocol creates a tunnel between a specific IP address and your devices.
Differences between IPSec and OpenVPN
IPSec and OpenVPN are both viable VPN solutions. But OpenVPN is generally regarded as a more secure, more flexible option. As an “always on” site-to-site VPN solution, IPSec is ideal for securing your on-premises resources, but it can be more difficult to implement with devices in the field, particularly in IoT. As an on-demand point-to-point VPN solution, OpenVPN is great for troubleshooting devices anywhere in the world.
IPSec | OpenVPN | |
Easy to install | YES | Depends on OS |
Remote access | Site-to-site | Point-to-point |
Documentation | Thorough | Thorough |
Authentication by password | YES | YES |
Authorization by certificate | YES | YES |
Authentication by server | YES | YES |
Support for point-to-multipoint tunnels | YES | NO |
Transmission protocols | TCP | TCP or UDP |
Supported on networking devices | YES | Limited |
Dynamic routing in tunnel | YES | YES |
NAT traversal | YES | YES |
Support for IPv6 | YES | YES |
Get secure IoT connectivity with emnify
emnify is a global IoT connectivity solution that uses both OpenVPN and IPSec to create network tunnels between your IoT devices, on-premises systems, and cloud-based applications. Our multi-layered approach to security helps protect your data with additional features like IMEI lock, monitoring tools, and connectivity profiles.
Whether you’re using IPSec or OpenVPN, we create redundant tunnels in our cloud-native platform to ensure that if an instance of your VPN or the data center that supports it goes down, you still have access to your VPN.
I'm an expert in network security and VPN technologies with a deep understanding of both IPSec and OpenVPN protocols. My expertise is backed by hands-on experience in implementing secure communication solutions for distributed devices and remote access scenarios.
Now, let's delve into the concepts discussed in the article:
VPN Overview:
A Virtual Private Network (VPN) is a secure connection that allows authorized users and devices to access company resources through public or private networks. It establishes an encrypted tunnel from one network to another, ensuring that data transmissions are secure and inaccessible to unauthorized entities.
IPSec (Internet Security Protocol):
IPSec is a protocol suite that secures network communications through three main protocols:
- Authentication Headers (AH): Verifies the identity of a device using a shared key and ensures data packet integrity through a checksum.
- Encapsulating Security Payloads (ESP): Encrypts the data packet, including the header, creating a new one to prevent unauthorized access without the encryption key.
- Internet Security Association and Key Management Protocol (ISAKMP): Defines how two network entities communicate, including encryption details and key management.
IPSec operates in two modes: tunnel mode (creates a VPN) and transport mode.
OpenVPN:
OpenVPN is an open-source VPN solution supporting both UDP and TCP for data transmission. It uses 256-bit encryption by default but can be configured for 128-bit encryption. OpenVPN is a point-to-point VPN, requiring a username/password or authentication token for access. It establishes a tunnel between a specific IP address and connected devices.
Differences between IPSec and OpenVPN:
- Installation: IPSec is generally easier to install.
- Remote Access: IPSec is suited for site-to-site connections, while OpenVPN is ideal for point-to-point connections.
- Flexibility: OpenVPN is considered more secure and flexible, especially for troubleshooting devices in the field.
- Authentication: Both support authentication by password and certificate, as well as server authentication.
- Transmission Protocols: IPSec uses TCP, while OpenVPN supports both TCP and UDP.
- Dynamic Routing: Both support dynamic routing in tunnels.
- NAT Traversal: Both IPSec and OpenVPN support Network Address Translation (NAT) traversal.
- IPv6 Support: Both protocols support IPv6.
emnify IoT Connectivity Solution:
emnify is a global IoT connectivity solution that utilizes both OpenVPN and IPSec to create secure network tunnels between IoT devices, on-premises systems, and cloud-based applications. The platform employs a multi-layered security approach, including features like IMEI lock, monitoring tools, and connectivity profiles. Redundant tunnels are created to ensure continuous access to the VPN even if an instance or data center experiences downtime.
In conclusion, choosing between IPSec and OpenVPN depends on specific use cases, with OpenVPN being favored for its flexibility and security, especially in IoT scenarios with distributed devices.
