OpenVPN – OSTIF Goals

OpenVPN is software for securing communications over untrusted networks (like the internet). It uses advanced cryptography to encrypt communications in a point to point fashion. It is a widely used and supported tool by businesses and individuals all over the world.

OSTIF Goals for OpenVPN:

Primary goals:

-Establish a bug bounty to encourage close scrutiny by the worldwide security community.
-A full security audit of OpenVPN and OpenVPN-GUI for Windows.

Stretch goals:

Create a grant system to fund the research and development for OpenVPN in the following areas.

-New Feature – Full support for AEAD mode ciphers (AES-GCM) in both the control channel and data channel.
-New Feature – Full support for non-standard elliptic curves such as the “fully rigid” curves listed at http://safecurves.cr.yp.to/rigid.html
-New Feature – Allow user to select which elliptic curve to use for ephemeral sessions.
-New Feature – Full support for Chacha20 / Poly1305 (significantly less CPU overhead, easy to audit, will decrease battery usage on mobile devices)
-Bug Fix / Improvement – Kill service if TAP driver is unavailable. Currently in Windows, if the TAP device is not accessible due to permissions or other issues, OpenVPN silently fails and appears to connect, while actually doing nothing to protect user data.
-New Feature – Native obfuscation support. Some internet service providers and governments have been interfering with OpenVPN connections based on detecting telltale patterns of OpenVPN traffic. The OpenVPN team needs to implement native obfuscation support to prevent this problem from proliferating further than it already has. This could be done by implementing the currently unofficial “scramble” patch or by implementing a new, more robust solution.
-Bug Fix / Improvement – Change default cipher suites to stronger settings.
-Bug Fix / Improvement – Throw warnings for unsafe cryptography, or disable unsafe crypto entirely (disable SSL3.0 and TLSv1 cipher suites).
-Research – Improve the UI to better accommodate non-savvy users.
-Bug Fix / Improvement – Improving IPv6 support – Allowing OpenVPN to properly support ISP’s that use “DSLite” or other IPv6 services. Also to modify the IPv6 routing table by default for devices that run dual-mode (IPv4 + IPv6) systems.
-New Feature – Improve GUI to enhance usability.