With over 60 million downloads of OpenVPN’s core open source software, 20,000+ business customers, and hundreds of companies who use the OpenVPN protocol in their own products, you may be wondering: Is the OpenVPN protocol safe?
It’s a valid question. Recent survey results that found 96% of roughly 1,700 codebases contained open source software and saw a 42% overall increase in vulnerabilities. Knowing the security of all of your software is critical to preventing breaches and keeping data secure.
To provide insight into the security of the OpenVPN open source software that our commercial products rely on, we invited a third party, Trail of Bits, to conduct an audit of OpenVPN2. The audit covered not only the codebase itself, but also the processes for maintaining the integrity and reliability of the code. Following the audit, Trail of Bits released a report of its findings in August 2023, which we have made available to you here. This report is used in conjunction with regular testing to ensure that any potential weaknesses or vulnerabilities are addressed quickly and comprehensively.
In this post, we’ll dive into a few key takeaways from the report, including the questions this audit sought to answer and how OpenVPN scored.
Recommended Reading: IoT Vulnerabilities for Cybersecurity
Why Conduct an Audit from Trail of Bits?
Before we delve into the key takeaways, it’s important to understand why conducting an audit was important to OpenVPN and the reason Trail of Bits was chosen to conduct this audit.
“Evolving security frameworks, like zero trust network access, hinge on a secure connection, ultimately creating the foundation for all cybersecurity efforts,” says Johan Draaisma, OpenVPN senior product manager. “Studies show that vulnerabilities found in open source projects are often fixed as fast, or faster, than proprietary code. Even still, it is important that we continually validate the safety and stability of our products. Since our products are built on the OpenVPN open source codebase, we requested an audit by Trail of Bits.”
To best validate the security of OpenVPN, Trail of Bits consultants, who specialize in security research with a real-world attacker mentality, were invited to conduct an audit. Founded in 2012, Trail of Bits has helped secure critical software elements that support billions of end users. You can find an exhaustive list of their research and publications, publicly available on GitHub.
It all comes down to one thing: ensuring that OpenVPN is safe and secure to prevent breaches. In order to continually prevent vulnerabilities and exploits, OpenVPN must continually seek feedback.
Scope of the Security Report
During the period of analysis spanning around one month, auditors sought to answer the following questions:
- Are there any memory corruption vulnerabilities that allow attackers to perform code execution, crash the program, or leak sensitive data?
- What is the state of fuzzing of the project?
- Are there any general issues related to C language that are easily detectable by automated static analysis tools?
- What are the main modes in which OpenVPN operates, and which authentication and configuration methods are supported? Are user-controllable parameters properly handled and sanitized in the OpenVPN implementation?
- How are authentication modes implemented? Are there any differences or gaps in their implementation?
- Are there any common patterns of bugs that have been identified in prior bug reports? Could static analysis be implemented to help prevent such bug patterns in the future?
- How can OpenVPN improve its security in the long term? What are the biggest opportunities?
Auditors used a variety of automated techniques to extensively test the security properties of the OpenVPN software. These include the use of both open-source static analysis and fuzzing utilities, along with their own internal tools, to perform automated testing of source code and compiled software. Furthermore, auditors used a traffic-light protocol for a clear understanding of the areas in which the codebase is mature, immature, or underdeveloped.
OpenVPN Security Assessment Results
Now, let’s get into some of the more technical details.
Overall, Trail of Bits reported, “The audit did not uncover any significant flaws that could impact system confidentiality, integrity, or availability in the time provided.”
This finding validates the ongoing efforts of OpenVPN to maintain secure code that is free of vulnerabilities and threats, and highlights the continual improvement of OpenVPN. This is not only critical to OpenVPN as a whole, but to anyone who uses the OpenVPN open source protocol.
“Since a previous audit conducted by Quarkslab 2017, we have only seen five very minor vulnerabilities which were quickly corrected,” says Draaisma. “In a six year period, that is quite low. This is due in part to the excellent continual auditing process, and reviewing any and all changes extensively.”
This result highlights not only the continual improvement of OpenVPN, but to the overall quality of OpenVPN when compared to software industry standards as a whole. In fact, a recent study found that at least one known open source vulnerability was detected in 84% of all commercial and proprietary codebases, while OpenVPN has seen fewer than one per year on average.
Additionally, this report highlights ongoing improvements since the 2016 audit by Johns Hopkins University crypto professor Dr Matthew Green, which found that OpenVPN 2.4 had no major vulnerabilities.
Areas Where OpenVPN Scored Strongest
OpenVPN was ranked highly in several areas of the report, one key area of which was auditing.
According to a recent survey, 80% of organizations ship code daily or weekly, but only 27% audit continuously. Continual auditing is crucial to track how changes are made to the code and to make sure any changes are fully vetted. Open source projects allow for anyone to review the codebase, as it is publicly available for anyone to see. This by itself means there is a lot of transparency. It also allows anyone to contribute changes and improvements. The obvious danger there is that someone might sneak in something malicious. However, with OpenVPN there is a very strict review process that requires approval from multiple developers and rigorous testing to be passed before any changes are accepted in the codebase. Trail of Bits auditors validated this and found that OpenVPN has implemented extensive logging and auditing features, and especially so for critical code paths.
The report also highlighted several additional areas in which OpenVPN scored well:
- Authentication/Access Controls: Auditors found no issues with the OpenVPN server authentication methods performed by clients.
- Complexity Management: The code is split into reasonable functions and modules.
- Cryptography and Key Management: Auditors found no issues in the implementation of cryptography or key management.
- Data Handling: While auditors found no significant issues with data handling, in some cases the APIs are not consistent.
- Maintenance: The build system is user friendly, extensible, and well adapted to work on multiple platforms.
Where OpenVPN Scored Moderate
The report highlighted a few items where OpenVPN benefits from improvements:
- Arithmetic: The auditors did not find any arithmetic-related issues such as integer overflows. However they do caution that there are no specific measures taken against this occurring in future changes, but improved fuzzing and unit testing can detect such issues.
- Configuration: The OpenVPN project mainly leaves it up to the user to determine best practices with regard to security configurations and security hardening options. The freedom to configure things as you see fit may lead inexperienced users to have a suboptimal configuration, despite available documentation.
- Memory Safety and Error Handling: Errors are generally handled consistently within the codebase; however, there were a few cases where a memory leak could happen due to incorrectly handled error paths. These items were resolved in the OpenVPN codebase.
There were also 10 other areas of improvement reported, and none of those pose an imminent or extensive security risk. The details are in the Trail of Bits report.
Read the Full Report
As highlighted in the report, the audit did not uncover significant flaws and yielded generally positive results in most code paths reviewed, which is a testament to OpenVPN's security efforts. The full report, including answers to all of the questions posed in the security report, the scope, and the recommendations, is available for download. You can also find more security reports from Trail of Bits on GitHub.
If you’re ready to learn more about the security measures in Cloud Connexa and Access Server and how our solutions compare in security features, check out our product comparison page or request a demo.