OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server


OpenVPN is a private company that enables consumbers and businesses to leverage mobility, access, security and simplify IT. Google, Samsung, Amazon, HP, IBM, Trane, Universities, Public Schools and over 100,000 businesses are protected on premisies, in the cloud, and in the field with OpenVPN software.

OpenVPN Access Server is an award-winning VPN server that provides virtual network connectivity to cross-platform OpenVPN Connect and other OpenVPN protocol compatible VPN Clients. The OpenVPN protocol has emerged to establish itself as a de-facto standard in the open source networking space with over 50 million downloads since inception.

OpenVPN Access Server supports a wide range of configurations, including access-controlled and secure remote access to internal network and/or private cloud network resources and applications. Some of the key features of OpenVPN Access Server are:

OpenVPN Access Server Has Everything You Would Need

  • BYOD Regardless of Operating Systems

    OpenVPN Clients free your users to choose their favorite device with support for Android, iODS, Linux, macOS, and Window.

  • Flexible Deployment Options

    Server software installation images are available for:

    • Most of the popular Linux distributors
    • VMware and Microsoft virtualized infrastructure
    • Azure and AWS Clouds
  • VPN Administration Web Portal

    • Administrator portal provides for intuitive configuration of settings
    • User connection access logs can be viewed and searched
    • For those administrators that prefer Command Line Interface(CLI) access, a rich command set is available
  • Fine-grained Access Control

    • Global, Group, and User hierarchy allows for methodical access configuration
    • Rules can be defined at the IP address, protocol, and port granularity
  • One-click Client Distribution

    • Just sharing the web address of Access Server’s Client Portal with your users solves the Client distribution challenge inherent in wide-scale deployments
    • After authentication, users download their Client installation files or connection profiles directly from the Access SErver’s Client Portal
  • Multiple Secure Authentication Modes

    • Integrated with two-factor authentication using Google Authenticator
    • Plug-ins can be used to integrate multi-factor authentication with Duo Security, smart cards and any TOTP based token generators
    • Users can be authenticated using PAM, RADIUS, LDAP, Active Directory, or a local user database
  • No-hassle Certificate Management

    • OpenVPN Access Servers comes built-in with its own internal X.509 PKI, but can also support an external PKI
    • VPN clients get their certificates bundled with their configuration profiles
  • Transparent Open Source Code

    • Leverages OpenVPN, OpenSSL, and mbed TLS open source projects
    • Code is scrutinized and quick fixes are ensured due to large community support

OpenVPN Access Server Capabilities

Feature Category Supported Features
Connection Support Provides Layer 3 virtual private networking using OpenVPN protocol. OpenVPN protocol uses SSL/TLS with client and server certificates to perform key exchange and mutual authentication. OpenVPN is firewall and web proxy friendly as encrypted traffic is tunneled via UDP or TCP.
Cryptographic Services A choice of either mbed TLS or OpenSSL provides the core for secure communications and cryptography. The crypto suite can be customized to suit your needs, the defaults are AES-256-CBC cipher for encryption, HMAC-SHA256 for authenticion, Diffie-Hellman Group 14 and 2048-bit RSA key length.
Linux OS Support Red Hat Enterprise Linux, CentOS, Ubuntu, Debian, and openSUSE.
Database Support Supports MySQL (defaults to SQLite database)
Cloud Image Availability Amazon Web Services (available from AWS marketplace)
Microsoft Azure
Virtualization Support Prepared VM Images are available for Microsoft Hyper-V and VMWare ESXI
Client OS Support OpenVPN Connect clients are available for Android, iOS, macOS, and Windows.
OpenVPN open source is included in all major Linux distibutions.
Client Configuration IP address, DNS servers, WINS server, specific routes, client-side scripts
Split-Tunneling Full-tunnel and split-tunnel redirection are possible (all VPN client internet traffic goes through the VPN tunnel, or only specified traffic).
Availability, Failover Multiple servers can share an external database
UCARP-based primary-secondary failover for LAN deployment
Routing Support Direct Connection (Server set in SNAT mode) - All communication needs to be initiated from the VPN clients in this mode
Routed Connection (Server in static route as gateway to VPN clients) - VPN clients as well as devices on the internal network can initiate connections
Site-to-Site rousing using a suitable Linux-based system configuration as Gateway at one site while using routed connection to Server at the other site.
Ease of Client Deployment Users can download preconfigured client software, or connection profiles for their device directly from your deployed Access Server's User Web Portal.
Scalability A typical server can handle up to 1,500 concurrent connections carrying real-world traffic.
Reporting Detailed client access logs are searchable, downloadable, and viewable.
Data Compression LZO, LZ4
Branding Customizable Server Portal branding
Licensing Options Two (2) simultaneous connections are supported on trial mode free of charge
An annual licensing fee is charged based on the quantity of concurrent connected devices. Upfront multi-year purchases are offered a discount.
AWS tiered pricing is supported