The OpenVPN community has released a critical security update — OpenVPN 2.6.14 — to patch a server-side vulnerability (CVE-2025-2704) that can be weaponized to crash VPN servers configured with the –tls-crypt-v2 option. While the flaw doesn’t compromise encrypted data or open the door to code execution, it can nonetheless result in a denial of service (DoS) — potentially disrupting secure communication channels for users worldwide.
OpenVPN versions 2.6.1 through 2.6.13 are vulnerable if they are set up with the –tls-crypt-v2 option enabled. This configuration is often used to encrypt and authenticate TLS control channel packets, offering stronger privacy and anti-DPI (Deep Packet Inspection) protection.
“On reception of a particular combination of incoming packets, some authorized and some malformed, client state in the server gets corrupted and a self-check is triggered that exits the server with an ASSERT message,” reads the security advisory.
An assertion failure, which crashes the server — and in a production VPN environment, that could mean interrupted connections for hundreds or thousands of users.
According to the OpenVPN advisory:
- The attacker must either:
- Possess a valid tls-crypt-v2 client key, or
- Monitor network traffic and inject specially crafted packets during the TLS handshake.
- When the right combination of legitimate and malformed packets hits the server, client state becomes corrupted.
- The server, detecting internal inconsistencies, triggers an ASSERT statement and terminates immediately.
While alarming, CVE-2025-2704 does not compromise encryption or allow for data theft. “No crypto integrity is violated, no data is leaked, and no remote code execution is possible,” the advisory confirms.
If you’re running an OpenVPN server with –tls-crypt-v2, here’s how to stay protected:
- Upgrade immediately to OpenVPN 2.6.14
- If upgrade isn’t immediately possible, disable –tls-crypt-v2 as a temporary workaround (though this may weaken privacy features)
