OpenVPN is still alive and kicking with new Wintun and Data Channel Offload adapters!

[OpenSource Ghost]

This is just an FYI that OpenVPN now supports Wintun adapter, as well as, Data Channel Offload (DCO) adapter. Wintun is originally designed for WireGuard protocol as a user-space adapter, but now OpenVPN Client can use it as well with any OpenVPN Server. Wintun is not nearly as much of a bottleneck as legacy OpenVPN TAP adapter and massively improves OpenVPN throughput (on par with WireGuard). DCO takes it even further by VPN packet processing from user-space to kernel-space, which improves performance even more than use of Wintun adapter, but it does not support compression, making it incompatible with many OpenVPN servers.

Simply use the latest OpenVPN (Community) release and add "windows-driver wintun" line to whichever OpenVPN configuration file to make use of Wintun adapter. To use DCO you should not add that line and disable compression settings in OpenVPN configuration file, but that only works if OpenVPN server doesn't enforce compression.

My only beef with OpenVPN is that I don't know how to prevent it from saving information to registry without using 3rd party portable wrappers, which is not an option for me.

 

[ComputerBox34]

A big portion of the corporate world has pretty much abandoned these type of VPN clients for users for ZTA oriented solutions. Would work fine for home lab though.

 

[OpenSource Ghost]

What are those solutions exactly and how are they better?

Open-source VPN clients like OpenVPN-GUI (not OpenVPN Connect) continuie to priotize security instead of introducing new features, have minimal attack surface due to provision of only core features, and don't seek to have full control over your system. OpenVPN protocol itself is out-dated and that's the only con.

Recent boom of VPN development resulted in major corporate and consumer apps seeking to deploy an eco-system of apps or app domains onto systems with features already provided by the OS or superior 3rd party applications. Each new feature = more attack surface + more access to systems. VPN apps also don't hesitate to bring their own low-level kernel-access drivers for everythning - virtual adapters, tunnels, firewalls, split tunneling, file scans, etc. On top of that VPN software makers can decide to build on top of already existing (and often vulnerabile) platforms, like Electron and NET Framework.

VPN software just needs to provide a safe encrypted tunnel to a trusted VPN provider. The rest is up to the OS and the user. If anything, clients such as OpenVPN-GUI fit the description of ZTA. Clients such as official WireGuard for Windows still have work to do to provide basic features.