Is OpenVPN UDP vulnerable to heartbleed?
Is OpenVPN UDP vulnerable to heartbleed?
I need to decide if I'm going to rebuild some servers, but they are very carefully firewalled; 1194/TCP is one of the firewalled ports (yay whitelist!).
1194/UDP is used (mission critical).
Solution 1:
OpenVPN over UDP also uses TLS, so it is equally effected just like HTTPS. I have verified this by looking at a packet capture, and saw that the Heartbeat extension is advertised.
Many public tools just check for TLS/STARTTLS servers, but there is no reason why someone cannot craft a special tool for OpenVPN.
The TLS layer in OpenVPN runs on a proprietary socket layer which runs atop of UDP/TCP as can be seen in this picture.
Solution 2:
Yes, OpenVPN derives its encryption entirely from OpenSSL. The OpenVPN community has posted a response to Heartbleed: https://community.openvpn.net/openvpn/wiki/heartbleed