We have received reports that the Qualys Labs test indicates that the OpenVPN Access Server runs an open web proxy, and that this is considered a critical vulnerability. We have determined that this is a false positive. By that we mean that the Access Server is not an open web proxy, and that the Qualys Labs test falsely indicates that it is. It is therefore not a real vulnerability and can therefore safely be dismissed in this particular case. It happens sometimes, though rarely, that the method used to scan for certain vulnerabilities is incorrect or can be triggered by some unexpected output. And so, while there is no vulnerability of this type, it can falsely indicate that there is. This is one of such cases.
In our tests to determine if this issue really exists, what actually happens is that the request to retrieve an external URL, or any URL, is simply entirely ignored by the Access Server. The only thing we do is we look at the host name that your browser reports when connecting to the Access Server and use that as a basis for the next step. For example if your Access Server is at
https://vpn.mycompany.com/ then the web browser will report host name vpn.mycompany.com. The Access Server then takes that URL and adds /__session_start__/ to it and redirects your web browser to that URL. So to be clear, your web browser is being redirected to the URL that your web browser gives to the Access Server, and then to a specific page there where the web session handling begins. There is no exploit here. You end up at the server that you originally intended to visit. Any GET (URL) command to retrieve an external website will simply be ignored entirely. Where an open web proxy would retrieve external website data and send it to you, our Access Server most certainly does not.
If you have any further questions please contact the support ticket system on our website:
https://openpvn.net/support
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.