7

This question elaborates that OpenVPN uses two channels to transfer data.

It first sets up a TLS connection (called control channel) and uses that to transfer a symmetric key and some other control data. It then sets up another channel (data channel) and starts transferring the actual data encrypted using the key.

Why the second channel? Why not simple transferring all data using TLS?

Tobi Nary
  • 14,417
  • 8
  • 45
  • 58
tsusanka
  • 487
  • 1
  • 3
  • 11

3 Answers3

5

There's some truth in the other answers, but the primary reason is different: because OpenVPN was designed as IP-over-UDP, while TLS runs over TCP. Futhermore, the initial versions of OpenVPN did not have key exchange at all, but already had their own (better designed than TLS) data channel protocol. So when TLS was added, it made sense to stick to that for the data channel.

(Nowadays there's DTLS that runs over UDP, but that didn't exist when the OpenVPN protocol was created.)

Steffan Karger
  • 415
  • 3
  • 4
2

OpenVPN is not designed only for one type of key exchange. There are multiple types of key exchange supported by OpenVPN. Rather than creating a new protocol for every single type, the developers use a single protocol, the data channel, and allows different features to provide the key using their own protocols, such as TLS. Additionally, this allows features such as --tls-auth to be used to provide security features which plain TLS does not provide (in this case, authentication before TLS even comes into play, as a second line of defense).

The OpenVPN documentation explains the two default types of key exchange, static keys and TLS.

forest
  • 66,706
  • 20
  • 212
  • 270
  • Hm, I understand. Is it actually common to use other protocols to provide the key? It seems as a little bit as a theoretical option – tsusanka Nov 28 '17 at 12:00
-3

It is all about SPEED!! The two channels have to do with key symmetry. In other words, whether the encryption protocol uses the same key for encryption and decryption (symmetric) OR different keys for encryption / decryption (asymmetric).

Generally speaking... Symmetric keys are really fast. Asymmetric keys are very slow. So how do get the same key to both sides for speed without a hacker grabbing the key? You use asymmetric keys and techniques (control channel) just long enough to get the symmetric key to both sides securely, and then open a data channel that will use the fast symmetric key.

You will find the data channel is always using a symmetric key. The process is more complicated, but that is the general idea.

schroeder
  • 129,372
  • 55
  • 299
  • 340
WreckItRaulph
  • 1
  • Why the downvote? Also, wasn't OpenVPN all about security in comparison to Wireguard which is all about being lean and fast? – Sir Muffington Oct 06 '22 at 18:19
  • 2
    TLS uses symmetric keys as well. So the answer's just plain incorrect. – vidarlo Oct 06 '22 at 18:43
  • 1
    @SirMuffington the reason for having a control channel has absolutely nothing to do with speed. In any way. The second channel isn't even strictly required. I think the poster tried to explain the difference between symmetric and asymmetric encryption and made many leaps in logic when they tried to post an explanation for the control channel. But this doesn't even answer the question for why the control channel is required and why the data channel isn't used for everything. – schroeder Oct 06 '22 at 19:14
  • Ah ok, makes sense now. With "Why the downvote" I meant why downvote without commenting. – Sir Muffington Oct 07 '22 at 18:04