Two Independent OpenVPN Audits Yield Mostly Positive Results

A lot of people around the world rely on a VPN connection to access information and obfuscate online behavior. A lot of VPN providers use the OpenVPN protocol, which has become somewhat of an industry standard these days. A recent security audit of the OpenVPN protocol yielded some interesting results, although not everything is as positive as people would like it to be.

OpenVPN Audits Reveal Some Peculiar Details

Most security enthusiasts have been well aware of OpenVPN‘s plans to conduct a security audit. The team announced such an audit in December of 2016, which was to be conducted by Matthew D. Green. It now appears a secondary audit has been conducted as well to ensure the outcome could not be seen as biased in any way. The second audit was done by QuarksLab, a French firm known for auditing VeraCrypt in 2016.

As one would expect, the two audits yielded some very mixed results. Both groups shared their findings on the day OpenVPN pushed an updated version of their VPN client to the masses. It is evident all of the findings have been taken into account when releasing the update for this open source VPN solution.

The audit, conducted by Matthew Green yielded no major vulnerabilities, even though there were small and medium issues the project team had to address sooner rather than later. Interestingly enough, Green is quite happy with the way OpenVPN uses cryptography to ensure a proper VPN tunnel. That does not mean this solution is always secure, as it still depends on how it is implemented in the end.

This brings us to how a positive aspect of OpenVPN can also be seen as a potential security risk. The project offers many configuration options, although some options may need to be removed to guarantee a secure connection at all times. All things considered, this audit was rather positive, even though Green advises against using the TLS-Crypt hardening layer for the time being.

The QuarksLab audit took a different route and focused primarily on the security of the software itself. Two bugs were identified, yet those have been fixed with the latest client update. Similarly to Green’s comments, QuarksLab applauds OpenVPN developers for their commitment. However, they warned the team about potential issues arising when making newer versions compatible with older ones.

Moreover, it appears OpenVPN is still using old code that may need to be revamped at some point. There is also a lack of developer documentation, which isn’t helping matters either. The complexity of old code often causes bugs that can take months to find and solve. It is not a big problem right now, but it could prove to be problematic in the long run. OpenVPN is a safe VPN solution, yet there are some minor things that need to be addressed by the team sooner rather than later.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.