The whole point of a VPN is to keep our data streams highly safe and secure, so in this article, we are going to take a deep dive into OpenVPN security, discuss some known Security Vulnerabilities, and also discuss, what are the best Encryption options? and in light of these vulnerabilities How to make OpenVPN safer.
So What Is OpenVPN?
OpenVPN is an Open source VPN software that offers methods to build secure site-to-site VPN connections and client-to-server (Client-to-Site) VPN application solutions.
The OpenVPN project was founded by James Yonan and was released in 2002 .It is popular for the fact that it supports all the major operating systems such as Windows, macOS, Linux, mobile platforms of Android and iOS, and also FreeBSD, QNX, Solaris, Maemo, Windows Mobile, and ChromeOS.
The OpenVPN allows peers to authenticate each other using pre-shared secret keys, certificates, or username/passwords and also It supports traffic on TCP/UDP port and it also supports both IPV6 and IPv4.
OpenVPN installs two network interfaces Universal TUN (layer 3)/TAP (driver based on layer 2) on the operating system when the client program is installed and it can optionally use the LZO compression library to compress the data stream. It uses UDP 1194 port officially. It is recommended to use UDP for OpenVPN which is very fast but if the ultimate goal is safety no speed then TCP is advisable.
Is OpenVPN Free?
OpenVPN comes in free Opensource software so we can implement and use it as we like, for example, it can be installed on top of any Linux distribution.
There are companies such as OpenVPN Inc that have developed their own commercial paid software version and they have developed their OpenVPN Commercial server which is called OpenVPN Access Server or OpenVPN AS along with it they have also developed their OpenVPN client program and is called OpenVPN connect which also works for all popular platforms.
The important point is that no matter which version we use we need to keep our OpenVPN deployment safe and secure.
OpenVPN Access Server By OpenVPN.Net
OpenVPN Access Server is a commercial version based on a free OpenSource OpenVPN server that offers a web-based interface.
It has options are laid out in a graphic user interface that helps ease the learning curve. It also comes with a built-in set of installer files for OpenVPN Connect Client, the client software used to connect Windows and macOS computers to an OpenVPN Access Server, and these come preconfigured for use immediately after installation, unlike Free OpenSource Version.
How to use OpenVPN?
OpenVPN can be used in Site to Site Topology (Server to Server) or Client to Site (Client-Server Model) here are some client-server model examples :
- Secure Remote Access
- Multiple OpenVPN Secure Remote Gateways
- OpenVPN Secure Internet Traffic or Contact Limited Access Traffic
- VPN Gateway Between Mulitple Cloud Providers
You can choose to install either the opensource version or an OpenVPN Access Server for this just grab yourself an ubuntu machine or VM and install any type for example here is the link to Install and use the OpenVPN Access Server on Ubuntu.
The Known OpenVPN Security Vulnerabilities
In order to keep our OpenVPN Server installation and client connections safe from hackers and offenders we need to keep a regular check on the known security vulnerabilities reported from time to time and here are the stats and charts from the year 2005 to 2018 :
So we see that up till 2018 the following vulnerabilities were reported and the last one was in 2018 called Overflow. There were two attack types for Overflow and below is the description for it:
- CVE-2018-9336 (Mem.Corr)
- CVE-2018-7544 (DoS Exec Code +Info)
This could cause a denial-of-service through memory corruption or possibly have unspecified other impacts including privilege escalation.openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6 allows a local attacker to cause a double-free of memory by sending a malformed request to the interactive service and there were 415 exploits recorded for this.
CVE-2018-7544 (DoS Exec Code +Info)
** DISPUTED ** A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When this interface is enabled over TCP without a password, and when no other clients are connected to this interface, attackers can execute arbitrary management commands, obtain sensitive information, or cause a denial of service (SIGTERM) by triggering XMLHttpRequest actions in a web browser.
This is demonstrated by a multipart/form-data POST to http://localhost:23000 with a “signal SIGTERM” command in a TEXTAREA element.
NOTE: The vendor disputes that this is a vulnerability. They state that this is the result of the improper configuration of the OpenVPN instance rather than an intrinsic vulnerability, and now more explicitly warn against such configurations in both the management-interface documentation and with a runtime warning and there were 134 recorded exploits for this.
You may like to dive in more and read further here is the link to the Security Vulnerability Reporting Site.
How to keep OpenVPN Safe Despite Known Security Vulnerabilities?
Now that we know that OpenVPN has some vulnerabilities in the past so now in 2021 how can we use it as safe and secure as possible? The Short Answer is through Encryption and the long Answer is to Use the strongest possible Encryption available at the time of usage. The below discussion shows how encryption helps defeat all the security flaws and is rather simple and easy to implement and use.
OpenVPN uses the OpenSSL library to provide encryption of both control channels and Data OpenSSL also does authentication work, allowing OpenVPN to use all the ciphers available in the OpenSSL package and it can also use the HMAC to add further security to the connection and hardware acceleration is optional to get better encryption performance.
Best OpenVPN Encryption to Keep OpenVPN Safe
OpenVPN encryption comprised of two parts – Data channel encryption and control channel encryption. Data channel encryption is used for Data Safety. Control channel encryption secures the connection between your computer and the VPN server.
Control channel encryption is also called TLS encryption because TLS is the technology used to securely negotiate the connection between your computer and the VPN server. This is the same technology used by your browser to securely negotiate a connection to an HTTPS-encrypted website.
- Control channel encryption consists of a cipher, handshake encryption, and hash authentication.
- Data channel encryption consists of a cipher and hash authentication.
VPN providers often use the same level of encryption for both control and data channels.
In cryptography, a cipher is an algorithm that performing encryption or decryption.
OpenVPN can use a number of symmetric-key ciphers in order to secure data on both control and data channels. In practice, the only ones used by commercial VPN providers are Blowfish, AES, and (very rarely) Camellia.
Blowfish-128 is the default cipher used by OpenVPN. Blowfish has often considered safe enough for casual purposes but has known weaknesses.
AES has become the VPN industry-wide “gold standard” symmetric-key cipher. AES is NIST-certified and is almost universally considered very safe as per the OpenVPN perspective. AES-256 is used by the US government for protecting “secure” data.
The fact that it has a 128-bit block size rather than Blowfish’s 64-bit block size also means that it can handle larger files (over 4 GB) better than Blowfish. In addition to this, the AES instruction set benefits from built-in hardware acceleration on most platforms.
Camellia is a modern secure cipher and is at least as secure and quick as AES. It is available in key sizes of 128, 192, and 256 bits.
In order to securely negotiate a connection between your device and a VPN server, OpenVPN uses a TLS handshake. This allows the OpenVPN client and VPN server to establish the secret keys Exchange Safely.
There are 2 types of Encryption Handshakes offered by OpenVPN.
RSA is an asymmetric encryption system – a public key is used to encrypt the data, but a different private key is used to decrypt it. It has been the basis for security on the internet for the last 20 years or so.
RSA with a key length of 1024-bits or less is not secure.
Diffie-Hellman and ECDH
Diffie-Hellman (DH) cryptographic key exchange. This usually has a key length of 2048-bits or 4096-bits. Note that anything less than DH-2048 should be avoided due to susceptibility to the logjam attack.
Elliptic curve Diffie-Hellman (ECDH) is a newer form of cryptography that is not vulnerable to this attack.
ECDH key length starts at 384-bits. This is considered safe and secure.
SHA Hash Authentication
This is also referred to as data authentication or hash message authentication code (HMAC). Secure Hash Algorithm (SHA) is a cryptographic hash function used (among other things) to authenticate data and SSL/TLS connections. This includes OpenVPN connections.
HMAC SHA-1 as used by OpenVPN is considered secure and there is Mathematical proof of this. Of course, HMAC SHA-2 and HMAC SHA-3 make OpenVPN more safe and secure.
OpenVPN Encryption Best Practices for Secure Usage
The following recommendations answer the question That how safe and good OpenVPN encryption really is? and how to ensure the best security outcome?
- Cipher – The Industry recommends using AES-256.
- Handshake – Use RSA-2048+ or ECDH-384+ are secure. Importantly RSA-1024 and Diffie-Hellman handshakes are not.
- Hash authentication – Using HMAC SHA-1 is absolutely fine, but HMAC SHA-2 (SHA-256, SHA-384, and SHA-512) and HMAC SHA-3 are even more secure.
Note that if the AES-GCM cipher is used then hash authentication is not required.
- Perfect Forward Secrecy (PFS) – this ensures that new encryption keys are created for each session. OpenVPN should not be considered secure unless PFS is implemented. This can be done either by including a Diffie-Hellman or ECDH key exchange in an RSA handshake, or a DH or ECDH handshake.
- Encryption settings should be strong on both the data and control channels.
- Using higher bit lengths for ciphers and keys is almost always more secure, but this comes at a cost in speed.
The biggest strength of the OpenVPN Project is being of opensource nature so the code cannot be influenced by third-party intrusions such as government agencies and political and also as the hacker network grows stronger so is OpenVPN Community which is thriving to keep the OpenVPN code better and better while being safe and robust thus making it difficult for all rogue parties to intrude and this is unlike other VPN technologies that are vendor-driven and cannot be given the benefit of doubt that they are not agency funded or politically driven but the end choice is yours so make it wisely.