OpenVPN Compliance

OpenVPN Compliance

Security Assessment Overview

Download PDF

Data Security Compliance FAQ

OpenVPN Access Server: This program is designed to create secure tunnels (VPN) over public or private networks with the goal of securing the data transferred over the secure tunnel from eavesdropping or unauthorized modification. It is a software solution that can be self-hosted on-premise, in data centers, or in cloud environments, on physical devices or virtual machines. The choice of deployment is up to the system administrator deploying the solution.

CloudConnexa: Similar to the OpenVPN Access Server product except this is hosted and maintained by OpenVPN Inc. It is a cloud service also referred to as a VPNaaS - VPN as a Service. It is designed to create secure tunnels (VPN) over public or private networks with the goal of securing the data transferred over the secure tunnel from eavesdropping or unauthorized modification. It is a software solution that allows hosts and host networks to be connected to CloudConnexa for the purpose of secure encrypted communication.

Data exchanged will be either over secure encrypted SSH and/or HTTPS for system administration purposes, and the actual data sent through the secure tunnels is encrypted using our OpenVPN protocol, and details of its operation are available on our website.

The OpenVPN program is a publicly audited open source project with a track record of many years of excellent security.

Security operations are assigned to the operations team which is tasked with overseeing the deployment, management, penetration testing, and security solutions and practices for our entire infrastructure.

Automated monitoring systems coupled with human monitoring ensure that when an issue occurs, it is noticed quickly. The operations team is spread across multiple countries across the globe (USA, Europe) for 24x7 availability to ensure rapid response in case of an issue.

The operations team is spread across multiple countries across the globe (USA, Europe) for 24x7 availability to ensure rapid response in case of an issue.

The operations team is spread across multiple countries across the globe (USA, Europe) for 24x7 availability to ensure rapid response in case of an issue. Our support team is similarly manned for 24x7 support, even on weekends and holidays.

We use centralized code-based infrastructure and security access management with internal peer-reviewed processes using well-known industry-standard solutions. We have our entire infrastructure backed up in multiple ways in both full images and separate file storage, in separate data storage locations, with varying schedules depending on importance of data (weekly, daily, hourly), so disaster recovery is fast and easy, and the chance of data loss is virtually entirely eliminated. Some names of certain software we use: Bacula, CPM, Terraform, Puppet, FreeIPA. We use industry-standard and custom solutions to monitoring all our systems and their log output and use anomaly detection to find deviations and act on them. Due to company security policies, we are not willing to release more detailed information as this may be considered a compromise of our internal security.

For those platforms that are exposed to the Internet by necessity in order to offer certain online services, multiple layers of online filtering and protection are present before anything can ever reach our servers, both external and internal. They each have automatic rate limiting, signature detection, automated scan and reporting capabilities, and mitigation solutions such as blocking or browser/captcha checking in the event of any type of attack.

By default, capability for certificate-based authentication, credential-based authentication, and time-limited token-based authentication is built into the OpenVPN Access Server, but there is the capability for extending it to other types. You can enable the built-in support for time-based one-time password (TOTP) authentication. Examples of TOTP MFA apps include Google Authenticator, Microsoft Authenticator, Gnome Authenticator, andOTP, and FreeOTP. You can also implement other options such as Duo 2FA.

Code scanning, vulnerability scans, and penetration testing, as well as internal code reviews, and reports sent in through our secure security email address. OpenVPN is an open source project and this openness means it can be audited by anyone. It is audited by OpenVPN open source community, the OpenVPN Inc. company, and various projects like OSTIF for example which are aimed at having security companies like FoxIt and Quark Labs audit our code to find any issues. They are then resolved and updates released to address these.

Any urgent security issue will be mitigated with hotfixes or emergency update releases. With every release any known security issue is prioritized and resolved.

Email address (required) and optionally any information you provide us like company name, contact name, company address (for invoicing purposes).

OpenVPN Access Server: For OpenVPN Access Server for software licensing purposes we collect the minimum required information to ensure that the software licensing can let you use the amount of connections you are licensed for. Details are listed below.

We specifically do not collect sensitive data such as private keys, certificates, usernames, passwords, log reports, etcetera, that are stored on your OpenVPN Access Server. The only exception is when you send data yourself to our support department in the event we need to examine for example log files to investigate the cause of a reported issue.

OpenVPN Access Server subscriptions: We receive the subscription ID and only the amount of connections used at this time by each server during regular reports.

OpenVPN Access Server fixed license key: These lock to (hashes of) certain hardware specifics during activation, so that the license key is valid for your device only.

OpenVPN Access Server AWS tiered instances: We receive EC2 AMI ID and ProductCode metadata to determine if this machine has a valid software license.

Dedicated software repositories and totally separate infrastructures for quality assurance, development, and production purposes, exist in our infrastructure. Code must be peer-reviewed before it goes to the production environment. The flow of information is only in the direction from development, then QA, and then production purposes, and never the other way around. The different environments have no direct contact with each other.

Standard HTTPS and SSH encryption are applied, as well as encryption of data using AES-256, SHA-256 or brcypt irreversible hash with unique salt.

All other security measures mentioned earlier, and on top of that, the data is only accessible on our internal production environment, and not outside of it.

In the United States of America. No data is stored outside of the US.

Until a request is put in to delete it, or we migrate to a new system that requires that only active accounts are migrated, and inactive accounts are marked obsolete.

MFA and other security measures are implemented for our systems.

Due to company security policies, we are not willing to release information on this as this may be considered a compromise of our internal security.

Yes, anti-malware, anti-virus, etcetera.

We use centralized code-based infrastructure and security access management with internal peer-reviewed processes using well-known industry-standard solutions.

Background checks are performed, personal assessment by multiple (management) team members within the company, continuous reassessment in the team, non-disclosure agreements, and standard employment contracts.

Due to company security policies, we are not willing to release information on this as this may be considered a compromise of our internal security.

For all essential services multiple load-balanced redundancies exist that are stored in physically separate data centers to ensure that any interruption either goes entirely unnoticed to our customers or can be mitigated within an extremely short period of time, so the loss of service is virtually entirely eliminated. In the event of an extremely widespread disaster, we have our entire infrastructure backed up in multiple ways in both full images and separate file storage, in separate data storage locations, with varying schedules depending on importance of data (weekly, daily, hourly), so disaster recovery is fast and easy, and the chance of data loss is virtually entirely eliminated.

This is measured in minutes, or at the outside in extreme situation, a few hours, at the most.

OpenVPN has successfully completed the SOC 2 (type 1) audit by meeting rigorous security, availability, and confidentiality standards and verifies our security controls are in accordance with the AICPA Trust Services Principles and Criteria.
We have company members that are dedicated to ensuring we are compliant with regulations in terms of law, privacy, regulatory bodies, and so on, and we have legal counsel in those areas as well.

External Audit Reports. You may consult Quarks Labs, and the OSTIF project, for verification of the external audits, performed on our OpenVPN code.

If you are a resident of the EEA, you have the following data protection rights:

  • If you wish to access, correct, update, or request deletion of your personal information, you can do so at any time by emailing privacy@openvpn.net.
  • To exercise your rights to delete your personal data under the GDPR, you can request account deactivation and deletion by contacting OpenVPN support.
  • In addition, you can object to the processing of your personal data, ask us to restrict the processing of your personal data, or request portability of your personal data. Again, you can exercise these rights by emailing privacy@openvpn.net.
  • You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing emails we send you. To opt-out of other forms of marketing, please contact us by emailing privacy@openvpn.net.
  • Similarly, if we have collected and process your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal data conducted in reliance on lawful processing grounds other than consent.
  • You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact your local data protection authority.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.