FUZZVPN: Finding Vulnerabilities in OpenVPN

OpenVPN is one of the most widely used VPN protocols, allowing for a connection to be securely proxied through another computer. Due to the protocol's critical role in securing communications, it is essential that OpenVPN remains robust against attacks. Previous work has discovered vulnerabilities in OpenVPN, revealing its susceptibility to denial of service, the potential for flow fingerprinting, and the risk of VPN protection being bypassed through operating system exploits or TCP connection hijacking.

In this work, we take a systematic approach to finding attacks by inferring the protocol's specification. We study OpenVPN configured with both the UDP and TCP variants. Given that no standard exists and specification is sparse, we first construct a detailed message sequence chart of the protocol handshake under the UDP and TCP modes, respectively. We use this information to perform systematic adversarial testing with malformed configurations, replay attacks, denial-of-service, resilience to acknowledgments-related attacks, and packet value modifications based on protocol semantics.

We found several new attacks: two new denial-of-service attacks due to the replay of control and acknowledgment packets, the incorrect handling of input validation for 17 protocol configuration options, a scenario where due to an inconsistent view of the state of the connection, the server sends data prematurely to the client causing the client to ignore it, and a scenario where a malicious client configured with weaker authentication can degrade the performance of a victim client configured with stronger authentication.