Is OpenVPN UDP vulnerable to heartbleed?

Is OpenVPN UDP vulnerable to heartbleed?

I need to decide if I'm going to rebuild some servers, but they are very carefully firewalled; 1194/TCP is one of the firewalled ports (yay whitelist!).

1194/UDP is used (mission critical).


Solution 1:

OpenVPN over UDP also uses TLS, so it is equally effected just like HTTPS. I have verified this by looking at a packet capture, and saw that the Heartbeat extension is advertised.

Many public tools just check for TLS/STARTTLS servers, but there is no reason why someone cannot craft a special tool for OpenVPN.

The TLS layer in OpenVPN runs on a proprietary socket layer which runs atop of UDP/TCP as can be seen in this picture.

Solution 2:

Yes, OpenVPN derives its encryption entirely from OpenSSL. The OpenVPN community has posted a response to Heartbleed: https://community.openvpn.net/openvpn/wiki/heartbleed