Home of internet privacy

The facts about the OSTIF OpenVPN source code audit

This post was originally published on May 15, 2017.

With funding from the Open Source Technology Improvement Fund (OSTIF), a group of security experts from QuarksLab spent the first few months of 2017 reviewing the source code for OpenVPN—one of the protocols used by ExpressVPN apps.

The results of the audit revealed some issues related to security, which OpenVPN developers quickly addressed in the release of OpenVPN 2.3.15.

All ExpressVPN servers already run this newly updated version of OpenVPN. Though ExpressVPN apps use 2.3.14, all our servers use 2.3.15, therefore users are not impacted.

What does the audit mean for OpenVPN?

ExpressVPN considers the audit a great success. The issues found were primarily related to denial-of-service threats. For example, an attacker could potentially crash an OpenVPN server after transferring more than 196GB of data through a single VPN session. Though such an attack is not a great concern—ExpressVPN’s kill switch would activate and reconnect to another server in this scenario, and the user would only be without connectivity for a few seconds—the fix strengthens an already robust protocol.

All things considered, the issues found in this audit are relatively minor, which is great news for OpenVPN and the OpenVPN community and also highlights the quality of this protocol.

Learn more about OSTIF and the OpenVPN audit

You can read OSTIF’s summary of the audit here.

ExpressVPN helped fund this audit. Read our interview with OSTIF here. Thank you, OSTIF and QuarksLab, for a job well done!