What is OpenVPN?
Learn what OpenVPN is, how its TLS-based tunnel works, TUN vs TAP modes, and why it traverses firewalls well — interview Q&A included.
Expected Interview Answer
OpenVPN is an open-source VPN protocol and software suite that builds an encrypted tunnel between a client and a server using TLS for key exchange and either OpenSSL-based ciphers or the newer AES-GCM/ChaCha20 suites for the data channel, running over a single UDP or TCP port.
OpenVPN establishes a control channel using TLS to authenticate both peers and negotiate session keys, then wraps all subsequent traffic — regardless of the original protocol — inside encrypted UDP or TCP packets on one configurable port, most commonly 1194/UDP. Because it runs entirely in user space and can operate over a single port, it traverses NAT and most firewalls easily, unlike protocols such as IPsec that rely on specific ports and IP protocol numbers. It supports both routed (TUN, Layer 3) and bridged (TAP, Layer 2) modes, certificate-based or pre-shared-key authentication, and can push routes and DNS settings to clients automatically. Its main trade-off versus kernel-native protocols like WireGuard or IPsec is CPU overhead, since encryption happens in user space rather than the kernel.
- Encrypts and tunnels all traffic between client and server
- Single-port UDP/TCP operation traverses NAT and firewalls easily
- Certificate-based mutual authentication via TLS
- Flexible routed (TUN) or bridged (TAP) deployment modes
AI Mentor Explanation
OpenVPN is like a private, sealed tunnel built under a stadium so a team can walk from the dressing room straight to the pitch without ever being seen or intercepted by the crowd outside. Every step through that tunnel is guarded and identity-checked at the entrance gate, exactly the way OpenVPN’s TLS handshake authenticates both ends before anything passes through. Whatever the players carry inside — kit bags, equipment, notes — stays hidden from anyone standing outside the tunnel walls. Even if the stadium is packed and every other gate is watched, this one sealed passage still gets the team through unnoticed.
Step-by-Step Explanation
Step 1
TLS handshake
Client and server authenticate each other using certificates (or pre-shared keys) and negotiate a session key over the control channel.
Step 2
Tunnel establishment
A virtual TUN (Layer 3) or TAP (Layer 2) interface is created, and the encrypted data channel is set up over a single UDP or TCP port.
Step 3
Traffic encapsulation
All application traffic is encrypted and wrapped inside OpenVPN packets, then sent over the single negotiated port to the server.
Step 4
Routing/decapsulation
The server decrypts each packet, routes it to its real destination (or the internet), and returns responses back through the same tunnel.
What Interviewer Expects
- Explains that OpenVPN uses TLS for authentication/key exchange and a separate data channel for encrypted traffic
- Knows it runs over a single configurable UDP/TCP port, aiding NAT/firewall traversal
- Distinguishes TUN (routed, Layer 3) vs TAP (bridged, Layer 2) modes
- Compares trade-offs versus IPsec or WireGuard (user-space overhead vs traversal flexibility)
Common Mistakes
- Thinking OpenVPN is a hardware appliance rather than open-source software
- Confusing OpenVPN with the broader concept of "VPN" as if they were the same thing
- Not knowing it can run over both UDP and TCP
- Assuming it always uses a fixed, non-configurable port
Best Answer (HR Friendly)
“OpenVPN is a well-known, open-source technology that creates a secure, encrypted tunnel between your device and a private network, so your traffic stays protected even on public or untrusted Wi-Fi. It authenticates both sides using certificates and then encrypts everything that flows through, and because it can run over a single ordinary-looking port, it works reliably even behind strict firewalls.”
Code Example
# Connect using a client configuration file
sudo openvpn --config client.ovpn
# Typical successful connection log lines:
# TLS: Initial packet from [AF_INET]203.0.113.10:1194
# VERIFY OK: depth=1, CN=OpenVPN-CA
# Initialization Sequence Completed
# Check the assigned tunnel interface and route
ip addr show tun0
ip route show table all | grep tun0Follow-up Questions
- How does OpenVPN differ from WireGuard in terms of performance and configuration?
- What is the difference between TUN and TAP mode?
- How does OpenVPN authenticate clients — certificates vs static keys?
- Why might OpenVPN be configured to run over TCP port 443 specifically?
MCQ Practice
1. Which protocol does OpenVPN use for its control channel key exchange?
OpenVPN uses TLS to authenticate peers and negotiate session keys before encrypted data flows.
2. What is a key advantage of OpenVPN running over a single UDP/TCP port?
Because all traffic goes through one configurable port, OpenVPN traverses NAT and restrictive firewalls more easily than multi-port protocols.
3. What is the difference between OpenVPN TUN and TAP modes?
TUN operates at Layer 3 for IP routing; TAP bridges at Layer 2, carrying Ethernet frames.
Flash Cards
What is OpenVPN? — An open-source VPN protocol/software using TLS for authentication and encrypting traffic over a single UDP/TCP port.
TUN vs TAP? — TUN = Layer 3 routed mode; TAP = Layer 2 bridged mode.
Why does OpenVPN traverse firewalls well? — It runs over a single configurable port, often disguised as normal traffic.
How are peers authenticated? — Via TLS using certificates (or pre-shared static keys).