Unparalleled simplicity. Minimal user interface. No new usernames or passwords to remember.
Secure-by-default configuration. Perfect Forward Secrecy. Mutual certificate authentication.
Dynamic runtime configuration updates. Windows Active Directory support. Auditing. JSON & RPC API.
Only the necessary features for common VPN use cases are built into the server. All users benefit from defaults that are based on security best practices. Additional functionality can be added via plugins in both control and data planes.
Not all features are available during the beta period. Android support will be available in a later release.
After installing the server, copy the generated configuration profile from
/etc/vpnserver/pki-tools/clients/client.vpntoolkit to the client and run:
vpnclient --profile client.vpntoolkit --connect vpn.example.com
By default, PAM authentication is enabled, so any user account on the VPN server can be used to connect. The default PKCS12 identity password is
secret as generated at install time. The
.vpntoolkit is a JSON file containing server information, although can also embed credentials into it for a streamlined connection setup.
Useful command-line arguments:
--log-level debugto increase log verbosity
--no-routeto ignore routes pushed by the server (usually for testing purposes)
On Windows, you will need to first install the OpenVPN NDIS 6 TUN/TAP driver (tap-windows, bottom of the page) for the client to work. The Windows app installer automatically does this.
On iOS, the configuration profile must be opened in Safari from a secure website and served with the
application/x-vpntoolkit-profile MIME type. It can also be opened from any other app (e.g., Mail) as long as the
.vpntoolkit file extension is retained.
The default VPN protocol runs over TCP and requires TLS version 1.2. While the cipher suites are configurable, the defaults (both server and clients) consist only of ones that support Perfect Forward Secrecy (PFS), using either the 128-bit or 256-bit AES cipher:
A high-performance VPN protocol (UDP and TCP) based on the Noise Protocol Framework will be made default in a future release, later this year. The protocol will also be open sourced.
The server supports username/password, token, and certificate-based authentication. Authentication backends include PAM, OpenID Connect (e.g., Google Apps/G Suite), Windows Active Directory/LDAP, SQL, and custom plugin.
The default (and recommended) security configuration is to require mutual authentication of client and server before actual user authentication takes place. The server installation generates the following public key infrastructure (PKI) hierarchy:
Clients connecting to the server will only trust a single CA, that is the VPN Root CA. Likewise, servers will require clients to present a certificate issued by said CA (an intermediate CA in this case). If either the client fails to validate the server or the server fails to validate the client, the connection is dropped. Upon success, either credential or token based authentication is performed. In some environments, the secondary authentication step can be disabled if certificates are adequately protected and a real-time revocation process is in place.
External PKI such as HSM and PKCS#11 smart cards will be supported in a future release for enterprise customers.
CRL verification is currently not supported. Until it is available, credential or token based authentication should not be disabled.
VPN client IP pools can be either IPv4 or IPv6 and can be of arbitrary size or prefix length.
Split-tunneling is supported out of the box, with provisions for excluded routes (currently only supported on iOS) to allow certain netblocks to be routed outside the VPN tunnel.
Out of the box, it supports a custom SSL/TLS based VPN protocol running over TCP, but additional protocols can be added, even on the same TCP port (assuming each VPN protocol has a distinguishable initial handshake).
Pilvy VPN Server is built on Pilvy VPN Server Toolkit, our VPN SDK. Customers are able to extend the VPN server in a number of different areas:
Documentation about the server and plugin APIs will be provided in future releases.