NordVPN

VPNs Must Update Their OpenVPN Implementation

Ray Walsh

Ray Walsh

May 19, 2017

In December, we reported that the Open Source Technology Improvement Fund (OSTIF) had received enough donations to be able to start its audit of OpenVPN encryption. Now the independent organization has published the much-anticipated results.

OpenVPN is an open source encryption protocol that is recognized as being the most secure form of VPN encryption available. It is the encryption protocol that we recommend here at BestVPN.com, because it is leaps and bounds ahead of other protocols when it comes to providing privacy for VPN users.

As with any complicated encryption protocol, the software is immensely complex. As such – despite it being open source – there are very few people in the world who are truly experienced and knowledgeable enough to properly audit the platform. For this reason, BestVPN.com was extremely excited to hear about the OSTIF project, and was happy to make a donation towards this valuable research.

The OSTIF audit was performed by two QuarksLab researchers. Ancillary auditing was performed by Dr Matthew Green, a world-renowned cryptographer. The team worked tirelessly to analyze the core cryptography of OpenVPN. The good news is that the OSTIF report, which was published this week, found that the protocol deserves its place at the top of the VPN pyramid. The report found that,

“OpenVPN is much safer after these audits, and the fixes applied to the OpenVPN mean that the world is safer when using this software. We have verified that the OpenVPN software is generally well-written with strong adherence to security practices.”

Some Vulnerabilities Discovered

In total, the audit discovered seven vulnerabilities. Five of those vulnerabilities were classified as “Low or Informational Vulnerabilities/Concerns.” One was found to be a “Medium Vulnerability (CVE-2017-7479),” and one was found to be a “Critical/High Vulnerability (CVE-2017-7478).”

The good news is that the release of the report was made to coincide with an update for the freely available OpenVPN 2.4.2 client version. In addition, the most critical vulnerability does not put OpenVPN users at direct risk, nor in any way threaten the privacy and security of the platform. As such, no one should be overly concerned about the vulnerabilities.

Risk of Denial of Service (DoS) Attacks

The critical vulnerability discovered by the cryptographic auditors concerns a DoS attack that can be triggered by a client sending at least 196 GB in a certain way. The medium vulnerability relates to another denial of service that can be performed with the tls-auth key. Despite being flagged up, the exploit is pretty minor and is not a massive cause for concern.

In real terms, the only discomfort that CVE-2017-7478 could cause is the temporary shutdown of a VPN server because of a denial of service attack larger than 196 GB in size. This is what AirVPN had to say about the outcome of the audit:

“We’re glad to see that the audit completed quickly and that no serious security vulnerabilities have been found client-side. Even server-side, the only two security issues are not particularly worrying.

“Our upgrade schedules server-side remain unchanged, as well as Air client software release cycle. Each new release of our software is packaged with the latest OpenVPN version and keep in mind that you can configure the software to use any OpenVPN version you prefer.”

Fixes Made to OpenVPN

On its website, OSTIF displays the fixes made to the latest version of OpenVPN 2.4.3, thanks to the work of the audit, as follows (please see the OSTIF website for a full rundown of the findings):

In addition, the QuarksLab auditors made 11 other recommendations for improving OpenVPN encryption. One of those recommendations (“Correction of authentication token handling in TLS auth while in an error state”) has already been agreed to by OpenVPN developers and will be in the very next update to the platform. Furthermore, OpenVPN 2.4.3 will:

  • Warn users about the risks of combining compression with streamed data.
  • “Remove system() from sample authentication plugin.”
  • Correct the “authentication token handling in TLS auth while in an error state.”

Furthermore, OpenVPN developers will be updating a number of parts of the documentation in order to comply with a number of suggested improvements.

OpenVPN developers only disagreed with one of the auditors’ suggestions (Removal of –script-security 3.), which will remain as it is (with a possible documentation change). The reason for this is that the OpenVPN team disagreed with the severity of the implied risk.

In addition, OpenVPN developers will not be adhering to the recommendation to remove the –reneg-bytes option. That is because the OpenVPN team says it will break configurations of OpenVPN that use One Time Pads, and must be left in for compatibility.

VPN Providers Must Implement These Changes

Although none of the vulnerabilities discovered by the audit are a serious cause for concern, VPN providers must still seek to implement these changes. The official third party OpenVPN 2.4.2 software has already fixed the worst of the vulnerabilities. However, most commercial VPNs have their own custom clients, which implement OpenVPN by using the open source OpenVPN code.

This means that commercial VPNs must also issue updates for their VPN software in order to shore up these vulnerabilities. OpenVPN is the industry leading VPN encryption protocol, and this OSTIF audit has helped to improve the platform for everybody concerned.

However, the platform will only be secure from these vulnerabilities if VPN providers invest money and time in making these technical upgrades on their custom clients. Sadly, it is probable that this will take some time. Not all VPNs are devoted enough to keep their software at the forefront of the technology. In fact, many VPNs don’t even implement OpenVPN securely enough to keep their users safe (which is why we take great care testing and reviewing VPNs here at BestVPN.com).

To find out where VPNs stand on the subject of the OSTIF audit, we contacted a number of providers to find out when they intend to make the necessary updates to their platform. Here is what they had to say:

ExpressVPN

ExpressVPN has released a blog on the subject. In it the firm says,

“All ExpressVPN servers already run this newly updated version of OpenVPN. Though ExpressVPN apps use 2.3.14, all our servers use 2.3.15, therefore users are not impacted.

“ExpressVPN considers the audit a great success. The issues found were primarily related to denial-of-service threats. For example, an attacker could potentially crash an OpenVPN server after transferring more than 196GB of data through a single VPN session. Though such an attack is not a great concern—ExpressVPN’s kill switch would activate and reconnect to another server in this scenario, and the user would only be without connectivity for a few seconds—the fix strengthens an already robust protocol.”

Buffered

Buffered told me that they “are aware of the results of the audit and will have implemented the necessary upgrades to their platform within three weeks.” Furthermore, as this is a DoS issue, the privacy and security of Buffered subscribers are not directly at risk.

Other VPNs

I contacted a number of other VPNs and was sad that more of them didn’t come forward with a response to this audit. The fact is that because OpenVPN is open source, the availability of the code for updating their OpenVPN servers and clients is freely available. As such, it is important that VPNs make the effort to benefit from this audit in order to further shore up an already highly robust platform. At the end of the day, there is little point in OSTIF going to the trouble of finding vulnerabilities if VPNs don’t seek to make improvements in good time.

However, it is also worth remembering that these vulnerabilities are not a risk to VPN subscribers’ security or privacy. VPN users can be assured that the audit proved OpenVPN to be a highly secure platform, that is still by far the best encryption option nowadays.

Fantastic Result for OpenVPN Encryption

Here at BestVPN.com, we are extremely excited about the results of the audit. Not only was OpenVPN proven to be secure and private, but the research has already improved the platform for VPN users around the world. In the coming months, the very best VPN providers will be using the results to improve their custom VPN clients, making encryption even safer for their consumers.

Finally, we applaud OSTIF and QuarksLab for having conducted the research in such a timely manner. This truly was a big win for VPN technology, and BestVPN.com would like to thank every single organization, company, and individual, that contributed towards the $71,000 fund that was necessary to perform the audit.

Image credit: Teguh Jati Prasetyo/Shutterstock.com

Ray Walsh

I am a freelance journalist and blogger from England. I am highly interested in politics and in particular the subject of IR. I am an advocate for freedom of speech, equality, and personal privacy. On a more personal level I like to stay active, love snowboarding, swimming and cycling, enjoy seafood, and love to listen to trap music.

4 responses to “VPNs Must Update Their OpenVPN Implementation

  1. Don’t understand why Express VPN touts version 2.3.15 as being up to date when it seems the standard with the audit fixes is 2.4.2 and one of your links says that one of the minor issues will be fixed in release of 2.4.3 or 2.4.4. I don’t understand the differences in these two releases (2.3.15 and 2.4.2) and you don’t address this. Is Express VPN up to date with it’s OpenVPN standards or not?

    1. It is our understanding that it is necessary to update both server and client side up to the standards introduced in 2.4.2. As such, we would suggest that any ExpressVPN customers communicate with ExpressVPN directly about this concern to make sure that they are indeed updating their client accordingly.

  2. Thanks Ray!
    So, why did it cost $ 71,000 to do the audit? I hope this isn’t a dumb question, but while I know a small bit about security, I’m not an IT pro. I’m just curious as I’m still learning. Thanks!

    1. Cryptography involves extremely high levels of technical computer programming knowledge, and there are very few people around that have the necessary skill to conduct the audit. The team of computer programmers involved in the audit would have had to go over the code meticulously to find vulnerabilities, which takes time. The vast majority of the money would have therefore gone to paying those people’s wages during the time that they spent performing the audit.

Leave a Reply

Your email address will not be published. Required fields are marked *

Your Information will never be shared with any third party.
Enter your email address to receive your Beginner's Guide to Online Security for Free
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the ebook:
Your Information will never be shared with any third party.
Enter your email address to receive your Ultimate Online Privacy Guide eBook!
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the eBook:
Special VPN Deal
SAVE 49% TODAY
WITH OUR
Exclusive Offer
Get a Special Deal - 72% OFF!
With a biannual subscription
Exclusive Offer for BestVPN.com Visitors!
50% Off Annual Plan
Limited Time Only
Exclusive price of
$3.25/mo