[MichaelGG]

OpenVPN isn't really an SSL VPN. In one of the major modes (preshared key), TLS isn't used at all. In client-server mode, TLS is only used for session negotiation (keys, options, user/pass) and the rest goes over their own protocol and doesn't use TLS at all. And even then it isn't TLS over TCP directly, but TLS over OpenVPN's own protocol.

For whatever reason, OpenVPN is way easier to get up and running. Little knowledge required. UDP overhead is minimal.

t. Recently implemented an OpenVPN client from scratch.

[terrywang]

Thanks for pointing out, good insight. Haven't really done a deep dive for OpenVPN as strongSwan works perfectly fine for pretty much all my use cases.

However, strongSwan (IPsec) is easy to block (e.g. if detected by big brother - GFW in China) as by default is uses UDP ports 500, 4500, while OpenVPN can easily disguise as SSL/TLS or anything. In that sense, OpenVPN can be a backup for IPsec for remote access (fighting censorship).

[MichaelGG]

OpenVPN cannot disguise as SSL/TLS - every packet has an OpenVPN header, so it won't look like, say, an HTTPS connection. And the data packets do not use TLS at all. It would not take much effort at all to detect that a stream is using OpenVPN. Every data packet will start with the same few bits regardless of encryption options used. And the start of a new session has a recognizable sequence of initial bytes, again, regardless of the options used.

Whether or not firewalls are doing enough DPI to figure this out is another question.