No flaws found in OpenVPN software. Our response to the CVE-2019-14899 vulnerability report.

OpenVPN Compliance

GDPR Assessment Overview

Security Questionnaire GDPR Compliance

The product Access Server is designed to create secure tunnels (VPN) over public or private networks with the goal of securing the data transferred over the secure tunnel from eavesdropping or unauthorized modification.

It is a software solution that can be self-hosted on-premise, in data centers, or in cloud environments, on physical devices or virtual machines. The choice of deployment is up to the system administrator deploying the solution.

Data exchanged will be either over secure encrypted SSH and/or HTTPS for system administration purposes, and the actual data sent through the secure tunnels is encrypted using our OpenVPN protocol, and details of its operation are available on our website.

The OpenVPN program is a publicly audited open source project with a track record of many years of excellent security.

Security operations are assigned to the operations team which is tasked with overseeing the deployment, management, penetration testing, and security solutions and practices for our entire infrastructure.

Automated monitoring systems coupled with human monitoring ensure that when an issue occurs, it is noticed quickly. The operations team is spread across multiple countries across the globe (USA, Europe) for 24x7 availability to ensure rapid response in case of an issue.

The operations team is spread across multiple countries across the globe (USA, Europe) for 24x7 availability to ensure rapid response in case of an issue.

The operations team is spread across multiple countries across the globe (USA, Europe) for 24x7 availability to ensure rapid response in case of an issue. Our support team is similarly manned for 24x7 support, even on weekends and holidays.

We use centralized code-based infrastructure and security access management with internal peer-reviewed processes using well-known industry-standard solutions. We have our entire infrastructure backed up in multiple ways in both full images and separate file storage, in separate data storage locations, with varying schedules depending on importance of data (weekly, daily, hourly), so disaster recovery is fast and easy, and the chance of data loss is virtually entirely eliminated. Some names of certain software we use: Bacula, CPM, Terraform, Puppet, FreeIPA. We use industry-standard and custom solutions to monitoring all our systems and their log output and use anomaly detection to find deviations and act on them. Due to company security policies, we are not willing to release more detailed information as this may be considered a compromise of our internal security.

For those platforms that are exposed to the Internet by necessity in order to offer certain online services, multiple layers of online filtering and protection are present before anything can ever reach our servers, both external and internal. They each have automatic rate limiting, signature detection, automated scan and reporting capabilities, and mitigation solutions such as blocking or browser/captcha checking in the event of any type of attack.

By default, capability for certificate-based authentication, credential-based authentication, and time-limited token-based authentication is built into the OpenVPN Access Server, but there is the capability for extending it to other types. By default, for example, the Google Authenticator method is built-in, and to name an example, Duo Security can be implemented as well.

Code scanning, vulnerability scans, and penetration testing, as well as internal code reviews, and reports sent in through our secure security email address. OpenVPN is an open source project and this openness means it can be audited by anyone. It is audited by OpenVPN open source community, the OpenVPN Inc. company, and various projects like OSTIF for example which are aimed at having security companies like FoxIt and Quark Labs audit our code to find any issues. They are then resolved and updates released to address these.

Any urgent security issue will be mitigated with hotfixes or emergency update releases. With every release any known security issue is prioritized and resolved.

Email address (required) and optionally any information you provide us like company name, contact name, company address (for invoicing purposes). For OpenVPN Access Server for licensing purposes, an irreversible hash is stored of certain hardware specifics of your servers that you run an activated Access Server on. Because the hash is irreversible, its only use is for the purpose of preventing unauthorized duplicate use of a purchased license on multiple servers, and it used only as such.

Dedicated software repositories and totally separate infrastructures for quality assurance, development, and production purposes, exist in our infrastructure. Code must be peer-reviewed before it goes to the production environment. The flow of information is only in the direction from development, then QA, and then production purposes, and never the other way around. The different environments have no direct contact with each other.

Standard HTTPS and SSH encryption are applied, as well as encryption of data using AES-256, SHA-256 or brcypt irreversible hash with unique salt.

All other security measures mentioned earlier, and on top of that, the data is only accessible on our internal production environment, and not outside of it.

We use centralized code-based infrastructure and security access management with internal peer-reviewed processes using well-known industry-standard solutions. We have our entire infrastructure backed up in multiple ways in both full images and separate file storage, in separate data storage locations, with varying schedules depending on importance of data (weekly, daily, hourly), so disaster recovery is fast and easy, and the chance of data loss is virtually entirely eliminated. Some names of certain software we use: Bacula, CPM, Terraform, Puppet, FreeIPA. We use industry-standard and custom solutions to monitor all our systems and their log output and use anomaly detection to find deviations and act on them. Due to company security policies, we are not willing to release more detailed information as this may be considered a compromise of our internal security.

And on top of that, the data is only accessible on our internal production environment, and not outside of it

In the United States of America. No data is stored outside of the US.

Until a request is put in to delete it, or we migrate to a new system that requires that only active accounts are migrated, and inactive accounts are marked obsolete.

MFA and other security measures are implemented for our systems.

Due to company security policies, we are not willing to release information on this as this may be considered a compromise of our internal security.

Yes, anti-malware, anti-virus, etc.

We use centralized code-based infrastructure and security access management with internal peer-reviewed processes using well-known industry-standard solutions.

Background checks are performed, personal assessment by multiple (management) team members within the company, continuous reassessment in the team, non-disclosure agreements, and standard employment contracts.

Due to company security policies, we are not willing to release information on this as this may be considered a compromise of our internal security.

For all essential services multiple load-balanced redundancies exist that are stored in physically separate data centers to ensure that any interruption either goes entirely unnoticed to our customers or can be mitigated within an extremely short period of time, so the loss of service is virtually entirely eliminated. In the event of an extremely widespread disaster, we have our entire infrastructure backed up in multiple ways in both full images and separate file storage, in separate data storage locations, with varying schedules depending on importance of data (weekly, daily, hourly), so disaster recovery is fast and easy, and the chance of data loss is virtually entirely eliminated.

This is measured in minutes, or at the outside in extreme situation, a few hours, at the most.

We are not certified to those programs. We maintain and continuously develop and improve our own security. We are a world leader in security solutions.

We have a company member that is dedicated to ensuring we are compliant with regulations in terms of law, privacy, regulatory bodies, and so on, and we have legal counsel in those areas as well.

Yes, and our public privacy policy can be found here:https://openvpn.net/privacy-policy/

External Audit Reports. You may consult Quarks Labs, and the OSTIF project, for verification of the external audits, performed on our OpenVPN code.


Looking for More Information?

Contact Us