OpenVPN is the backbone of online security. It is supported in many popular virtual private network (VPN) providers such as NordVPN and ExpressVPN, and continues to receive frequent updates well into its 17th year in operation.

It’s an unwritten rule of information technology, however, that popular security protocols will attract the largest contingent of hackers. As OpenVPN is open source, it is therefore much easier for hackers to locate and exploit security vulnerabilities within the software design.

Nevertheless, the value of the open-source model is that it promotes open collaboration, thus encouraging other programmers to suggest changes to the design. This way, security vulnerabilities can be communicated directly to the developers, who then have the option to patch the software and eliminate the vulnerability.

Data security experts are constantly on the lookout for these vulnerabilities and generally make their findings public as part of the open-source agreement. OpenVPN’s greatness lies in its responsiveness to these findings, but there are still certain security flaws that bear highlighting.

OpenVPN core technology
OpenVPN is an innovative, complex piece of software that utilizes a variety of cryptographic tools to provide a secure connection to the internet. However, it is necessary to outline certain aspects of its design in order to understand its security vulnerabilities.

At its core, OpenVPN uses a custom model combining Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to provide encryption. These protocols allow OpenVPN to utilize public-key cryptography, which thus allows it to implement a secure connection over HTTP.

This is accomplished with the resources of the OpenSSL library, which also provides tools for implementing Certificate Signing Requests, a necessary measure in the implementation of HTTPS connections. This application layer, which utilizes Port 443, is far more secure than the HTTP that transfers data over networks in plain text.

As OpenVPN is essentially a proxy, it only engages SSL and TCP once it has received data through HTTP from the user; from there, OpenVPN uses Network Address Translation (NAT) to conceal its users behind a single IP, and then it encrypts the data it has received through HTTP before sending it any further.

Ordinarily, the data is compressed before it is encrypted. When it returns, it is decompressed, decrypted, and passed back to the user through HTTP.

Past OpenVPN security vulnerabilities
Many of the tools used by OpenVPN—such as NAT, User Datagram Protocol (UDP) and Transmission Control Protocol (TCP)—are not very secure in their own right, but are protected through TLS encryption. It is surprising, then, that TLS has historically been the most troublesome part of OpenVPN’s architecture.

In 2012, a compression side-channel attack named CRIME emerged against HTTPS connections, which are, as mentioned, authenticated through TLS connections via Port 443. This enables hackers to leak information from encrypted connections purely by calculating the size of the compressed packets.

A year later, another attack named BREACH began to exploit HTTP responses and HTTP compression rather than TLS compression. CRIME can be prevented by disabling data compression, but with HTTP responses being more prevalent than TLS, there isn’t yet a universal mitigation tactic for BREACH.

The good news is that HTTPS connections are now generally more common than HTTP, which means browsing automatically mitigates the risk of BREACH in itself. Furthermore, very few browsers actually allow compression, which similarly mitigates CRIME.

Better yet, these attacks have never exactly posed a threat to OpenVPN, which shields user traffic after it has already been compressed. In 2018, though, an attack vector named VORACLE emerged that adapted both CRIME and BREACH for OpenVPN. (Note: this includes all VPN providers that support the OpenVPN protocol.)

Similar to the earlier attacks, VORACLE takes advantage of security flaws that arise from the compression stage of TLS. As mentioned, though, hackers need to take a few extra steps before conducting a successful VORACLE attack on OpenVPN.

Because the targeted HTTP traffic has already been compressed before the hacker can get their hands on it, they need to attack this data via the HTTP response.

In other words, OpenVPN needs to have sent compressed, encrypted traffic to a host server that operates in HTTP. The hacker can then assess the data when it is decompressed before returning it to the OpenVPN NAT IP (at which point it will be returned to the user).

Of course, the hacker must have control of the HTTP site itself in order to acquire the targeted data. As such, the targeted user must be lured to an HTTP site that the hacker controls, or to a third-party HTTP site that the hacker can manipulate through methods such as malvertising.

One way to mitigate a VORACLE attack is to disable compression entirely. With many VPN providers, compression isn’t activated by default. If it is active, however, your provider will instruct you on how to deactivate it.

If you cannot go without compression, another option is to use a Chromium browser (like Google Chrome), against which VORACLE is useless. It is also worth remembering that these attacks work on HTTP sites only, so always be careful of whichever links you’re clicking.

OpenVPN in China
Xi Jinping’s government has been increasingly restrictive of Chinese internet freedom over the past decade, and blocking VPN connections has been part of that process. They have implemented technology that can differentiate between ordinary traffic and VPN traffic.

OpenVPN does not obfuscate connections by default, so even if you are using TLS on Port 443, your internet service provider (ISP) can assess your traffic using Deep Packet Inspection (DPI) and throttle your connection as a result.

What’s more, the Chinese government can also use this method to render your VPN-protected device useless. Your ISP will then notify you that you must take your device to the nearest police station to have it unlocked. The police will then manually check over your device and force you to delete any restricted apps before your device is returned to you.

To prevent this from happening, it is essential that you use a VPN provider such as ExpressVPN that allows you to patch OpenVPN for obfuscation. Other providers also support obfuscated versions of the OpenVPN protocol as standard; it’s worth reading a few reviews to get an impression of which providers offer this feature.

All in all, OpenVPN is mostly a secure protocol that is ultimately betrayed by a few security vulnerabilities. With the help of this article, however, you should be able to mitigate these concerns well enough, and therefore may continue to utilize OpenVPN as a gateway to secure web browsing and online anonymity.