From the largest enterprise to the smallest business, everyone needs a VPN to keep their data safe. And the Internet of Things is no different. The devices may be simpler and the data they exchange lower in volume. But it’s still business data … and it deserves the same privacy and security.
Two popular ways to set up a private IoT network are OpenVPN and IPSec. Both are VPN communication protocol suites offering secure encryption and authentication. But each takes a somewhat different approach to doing it. And they’re not strictly compatible – although they often have complementary rules.
So, IPSec vs OpenVPN, which is best?
Answer: as usual, there’s no “best”. There is, however, a best choice for each of the various use cases with VPN for IoT today. This article lays out their strengths and opportunities.
Table of Contents
What is a VPN?
You’ve heard of a VPN: a private network running over the public Internet, with its data (and even its existence) protected from bad actors via encryption. There are multiple ways to build them, and the main areas of differentiation are:
- Who designed them (their purpose and philosophy)
- Where the software resides (device, server, or cloud)
- How they encrypt (and at which layer of the OSI model)
- What they encrypt (whole packet, payload only, or other)
Two protocol suites that illustrate these differences well are both in play at Onomondo: OpenVPN and IPSec.
Before we look at their differences, let’s see why your IoT business needs a VPN at all.
Why is VPN important for IoT?
When technical types approach their colleagues on the business side, two common questions are “Why is a VPN needed? and “Can IoT devices use VPN?” So it’s important to answer these first.
Some people look at the simple nature and small scale of the average IoT device’s data, and wonder why it’s necessary to secure it in the first place. After all, how private does an hourly temperature reading need to be? The answer here is that IoT devices operate in clusters – and those clusters are getting bigger all the time; today’s IoT contains over 10bn and that’ll more than double by the end of the decade. Even one data point a minute adds up to a large dataset if you’ve got a million devices.
So: no, maybe one data point doesn’t. But taken together, IoT data paints a picture of your business operations for any interested party. And that picture deserves to be private.
Second, non-technical people hear about VPN for IoT and imagine it’s like the consumer application they use when business traveling. IoT devices can’t use this VPN, and nor should they: the demands of M2M (machine-to-machine) communication differ from the volume and data type of a videoconference or collaborating workgroup. So yes, IoT devices can use VPN – but they use versions specifically designed for them.
These variants are needed because the VPN needs to answer several scenarios. The devices themselves may be spread around the world, connecting (and interconnecting) between various mobile networks. Technicians also need to access individual devices securely, for updates and troubleshooting. And IoT devices, often small and lightweight, simply don’t have the battery capacity for advanced encryption onboard, hence often need to “outsource” it.
Let’s compare those two common protocols for creating VPNs for IoT.
What is IPSec?
The IPSec spec hails from the IETF, the Internet Engineering Task Force. In other words, it’s an “official” specification, created as a standard by a well-established body. Operating at Layer 3 of the traditional 7-layer OSI model (the network layer, where IP is king); it’s therefore a basic part of the IPv4 functionality, integrated with the fundamentals of the Internet.
IPSec is flexible, operating in two modes: transport and tunnel.
The transport mode encrypts the payload of a packet (the data it’s transporting) but not the header data that tells the Internet where it came from and where it’s going: this, of course, means it can’t be used for a VPN, since identifying information is in plain sight. The tunnel mode is how IPSec works for private network IoT: it scrambles the whole thing, barring access to anyone (or anything) without the right key.
IPSec uses both authentication and encryption algorithms to confirm identities and scramble data, and it’s agnostic about both: it can use all the popular approaches to hashing your packets, including HMAC-SHA256 and MD5 for authentication and 3DES and Blowfish for encryption.
What is OpenVPN?
As an Open Source project, OpenVPN was created by a diverse crew of assorted experts working together, which makes it more of an ongoing project than a fixed specification. This means there’s a large community of people around the world who know it, love it, and helped create it. Which partly explains why it’s in widespread use.
With a Secure Sockets Layer (SSL) philosophy, OpenVPN is most commonly associated with Layers 3 and 4 of the OSI model: the network and transport layers with their familiar acronyms like TCP and UDP. Making it a bit more “application-like” than IPSec. (This is a key difference with the consumer VPNs used by traveling employees: those operate much higher up the model, at Layer 7.) There’s a choice of encryption strength, from 128-bit to 256-bit. (Many IoT applications will be happy with the lower strength, which takes fewer computing resources.)
OpenVPN works best as a “point-to-point” VPN, connecting a technician or diagnostic tool to a single remote device at a time through an encrypted tunnel bored directly between them. (Think of a technician checking out a remote device with her laptop.) As such, it’s great for secure remote access IoT applications like updating firmware or fixing problems.
IPSec vs OpenVPN
On to the differences. As stated, OpenVPN makes a great point-to-point solution, but the approach makes it less ideal for large volumes of M2M data moving between disparate IoT devices. So IPSec tends to be used in this case.
As a hardwired standard, however, IPSec is less user-friendly to develop for; it’s hardcore down-to-the-metal hacking – skills rarer in the market. But this does make it faster than OpenVPN, which is implemented entirely in software.
And when it comes to connecting networks to other networks – like the way a large set of SIMs need to be visible to a customer datacenter – IPSec has the edge.
And while both offer good security and encryption, general consensus is that OpenVPN has greater abilities here. (“Paid for” by its lack of support for point-to-multipoint applications in networks where large numbers of devices need to talk to each other.)
So: two approaches, two protocols – and as such, your choice possibly isn’t either/or.
It’s likely your business will find applications for both OpenVPN and IPSec – so make sure you have the ability to use the right one for each specific use case.
