Unparalleled simplicity. Minimal user interface. No new usernames or passwords to remember.
Secure-by-default configuration. Perfect Forward Secrecy. Mutual certificate authentication.
Dynamic runtime configuration updates. Windows Active Directory support. Auditing. JSON & RPC API.
Only the necessary features for common VPN use cases are built into the server. All users benefit from defaults that are based on security best practices. Additional functionality can be added via plugins in both control and data planes.
Not all features are available during the beta period. Android support will be available in a later release.
After installing the server, copy the generated configuration profile from
/etc/vpnserver/pki-tools/clients/client.vpntoolkit to the client and run:
vpnclient --profile client.vpntoolkit --connect vpn.example.com
By default, PAM authentication is enabled, so any user account on the VPN server can be used to connect. The default PKCS12 identity password is
secret as generated at install time.
Useful command-line arguments:
--log-level debugto increase log verbosity
--no-routeto avoid modifying routing table (for testing)
On Windows, you will need to first install the OpenVPN NDIS 6 TUN/TAP driver (tap-windows, bottom of the page) for the client to work. This requirement will be dropped in a future release.
On iOS, the configuration profile must be opened in Safari from a secure website and served with the
application/x-vpntoolkit-profile MIME type. It can also be opened from any other app (e.g., Mail) as long as the
.vpntoolkit file extension is retained.
Check for server updates:
Check for client updates:
The default VPN protocol runs over TCP and requires TLS version 1.2. While the cipher suites are configurable, the defaults consist only of ones that support Perfect Forward Secrecy (PFS), using either the 128-bit or 256-bit AES cipher:
The server supports username/password, token, and certificate-based authentication. Authentication backends include PAM, OpenID Connect (Google Apps/G Suite), Windows Active Directory/LDAP, SQL, HTTP, and custom plugin.
The default (and recommended) security configuration is to require mutual authentication of client and server before actual user authentication takes place. The server installation generates the following public key infrastructure (PKI) hierarchy:
Clients connecting to the server will only trust a single CA, that is the VPN Root CA. Likewise, servers will require clients to present a certificate issued by said CA (an intermediate CA in this case). If either the client fails to validate the server or the server fails to validate the client, the connection is dropped. Upon success, either credential or token based authentication is performed. In some environments, the secondary authentication step can be disabled if certificates are adequately protected and a real-time revocation process is in place.
External PKI such as HSM and PKCS#11 smart cards will be supported in a future release for enterprise customers.
CRL verification is currently not supported. Until it is available, credential or token based authentication should not be disabled.
VPN client IP pools can be either IPv4 or IPv6 and can be of arbitrary size or prefix length.
Split-tunneling is supported out of the box, with provisions for excluded routes (currently only supported on iOS) to allow certain netblocks to be routed outside the VPN tunnel.
Out of the box, it supports a custom SSL/TLS based VPN protocol running over TCP, but additional protocols can be added, even on the same TCP port (assuming each VPN protocol has a distinguishable initial handshake). The default protocol is a TCP-based one due to the prevalence of mobile clients roaming on and off mobile data networks like LTE, which proactively optimize TCP traffic flows resulting in lower end user device battery consumption.
TLS Renegotiation is not supported. Instead, the server can be configured to abort TLS sessions after a certain threshold of packets, bytes, or time has elapsed to avoid session key compromise. However, in practice, this is only a concern for extremely long-lived TLS connections (spanning multiple years), as long as a minimum 128-bit cipher is used. Regardless, client will reconnect to the server without adverse effects.
A high-performance hybrid TCP/UDP protocol will be made available in a future release.
Pilvy VPN Server is built on Pilvy VPN Server Toolkit, our VPN SDK. Customers are able to extend the VPN server in a number of different areas:
More documentation on the server and plugin API will be provided in a future release.
Interested in a fully managed VPN solution for your company? Contact Us