Port 1194: OpenVPN — The Tunnel Dug by a Traveler's Paranoia

Port 1194 is the default port for OpenVPN, the open-source virtual private network protocol that has been protecting traffic across hostile networks since 2001. When you connect to a VPN and watch your IP address change to another country, when a remote worker accesses their company's internal systems from a coffee shop, when a journalist in a surveilled country sends files back to their editor, there is a good chance that traffic flows through port 1194.

This is the port of invisible passages. It carries the tunnel that makes the hostile network disappear.

What OpenVPN Does

OpenVPN creates encrypted tunnels between computers. It wraps your network traffic in layers of cryptography, sends it through the public Internet, and unwraps it on the other side. To anyone watching the traffic in between, the contents are unreadable, just encrypted noise flowing to and from port 1194.

The protocol operates in two modes:

TUN mode (Layer 3) creates a virtual network interface that carries IP packets. This is what most VPN users experience: their traffic gets routed through a tunnel and emerges from a server elsewhere on the Internet.¹

TAP mode (Layer 2) creates a virtual Ethernet adapter that can carry any network protocol, including non-IP traffic like NetBIOS. This allows bridging entire network segments, making a remote computer appear to be physically present on a local network.²

OpenVPN can run over either UDP (the default and faster option) or TCP (slower but more reliable through restrictive firewalls). UDP is preferred because it avoids the "TCP meltdown" problem, where running TCP over TCP creates cascading retransmission delays.³

The Origin Story: Paranoia in Central Asia

In 2001, James Yonan was living a programmer's dream. His employer had "unchained him from his workstation" on one condition: maintain an always-reachable telepresence. He could work from anywhere in the world, as long as he stayed connected.⁴

So Yonan traveled. He checked into the office from Hurghada, Egypt. From Bishkek, Kyrgyzstan. From Internet cafes across Central Asia, routing his traffic through Asian and Russian infrastructure back to his office in the United States.

And somewhere along the way, he got scared.

"Traveling in Central Asia (pre 9/11)," Yonan later explained in an interview, "I was especially concerned about active attacks and connection hijacking, since my Internet path crossed through Russia and other regions having an absurd number of very talented hackers who were also unemployed."⁵

This was not abstract concern. Yonan was watching his packets traverse infrastructure controlled by people he did not trust, in countries where security practices ranged from lax to actively hostile. Every keystroke, every file transfer, every email, readable by strangers along the path.

He needed a tunnel. And the existing options did not satisfy him.

IPsec existed, but it was complex to configure and required kernel-level modifications. Other open-source VPN solutions like VTun and CIPE existed, but Yonan saw them as insufficiently rigorous about cryptography. There was a philosophical divide in the VPN community between security-focused IPsec advocates and usability-focused non-IPsec projects.⁶

Yonan decided to bridge both camps. He would take the networking innovations of the usability-focused projects, the user-space implementation and cross-platform portability, and combine them with the cryptographic rigor of SSL/TLS, protocols that had been "designed, attacked, and ultimately endorsed by some of the brightest cryptographers."⁷

The first private release came in 2001. On March 14, 2002, Yonan created a SourceForge project. Version 1.1.0 followed almost a month later.⁸ The IANA official port assignment of 1194 came later, adopted as the default starting with version 2.0-beta17 (earlier versions had used port 5000).⁹

OpenVPN was born from a traveler's paranoia. It has since been downloaded over 60 million times.¹⁰

How the Protocol Works

OpenVPN's architecture separates traffic into two channels:

The Control Channel handles authentication, key negotiation, and configuration. This channel uses TLS, the same protocol that secures HTTPS websites. Client and server exchange certificates, verify each other's identity, and negotiate the encryption keys that will protect actual traffic.¹¹

The Data Channel carries the encrypted tunnel traffic itself. Once keys are established through the control channel, actual network packets are encrypted with symmetric cryptography (typically AES-256 or ChaCha20) and transmitted.¹²

This separation is elegant. TLS handles the complex, security-critical task of authentication and key exchange, which it was designed for and has been battle-tested at. The data channel then uses fast symmetric encryption for the bulk traffic, which TLS is not optimized for.¹³

An important distinction: OpenVPN uses TLS for key exchange, but it does not tunnel traffic through TLS. The data channel uses OpenVPN's own protocol, completely independent of TLS. This avoids the performance overhead of running TCP-based TLS for every packet.¹⁴

OpenVPN supports multiple authentication methods:

• Certificates: Client and server each present X.509 certificates signed by a trusted certificate authority. This is the recommended approach for production deployments.
• Pre-shared keys: A static key shared between client and server. Simpler but less flexible.
• Username/password: Can be combined with certificates for two-factor authentication.¹⁵

The protocol also includes protections against replay attacks and man-in-the-middle attacks. The tls-auth directive adds an HMAC signature to all handshake packets, allowing immediate rejection of packets that were not signed with the correct key. This provides protection even before the TLS handshake completes.¹⁶

Security Considerations

OpenVPN has a strong security track record, but it is not without vulnerabilities:

2024 OVPNX Vulnerabilities: A chain of vulnerabilities (CVE-2024-27459, CVE-2024-24974, CVE-2024-27903) affecting Windows installations could allow remote code execution and local privilege escalation. These were promptly patched.¹⁷

2023 Memory Safety Issues: Use-after-free and division-by-zero vulnerabilities (CVE-2023-46849, CVE-2023-46850) were discovered in Access Server, with potential for sensitive information leakage from memory.¹⁸

Denial of Service: Various DoS vulnerabilities have been found over the years, including attacks via malformed certificates and oversized control packets.¹⁹

The consistent pattern: vulnerabilities are discovered, disclosed responsibly, and patched quickly. OpenVPN's open-source nature means its code has been scrutinized by security researchers worldwide for over two decades.

The larger concern is not OpenVPN's code but its complexity. At approximately 70,000 lines of code, OpenVPN has a substantial attack surface compared to newer protocols. WireGuard, its primary competitor, achieves similar functionality in roughly 4,000 lines.²⁰

Recommendations:

• Always use the latest version
• Use certificate-based authentication, not pre-shared keys
• Enable tls-auth or tls-crypt for additional control channel protection
• Prefer UDP over TCP for better performance
• Use strong cipher suites (AES-256-GCM or ChaCha20-Poly1305)

The Competition: WireGuard Arrives

For nearly two decades, OpenVPN was the gold standard for open-source VPN solutions. Then WireGuard appeared.

Created by Jason Donenfeld and merged into the Linux kernel in 2020, WireGuard takes a radically different approach: minimal code, modern cryptography, and a focus on simplicity. Where OpenVPN supports multiple cipher suites and authentication methods, WireGuard makes opinionated choices: Curve25519 for key exchange, ChaCha20 for encryption, Poly1305 for authentication. No options. No configuration complexity.²¹

The performance difference is significant. In benchmarks, WireGuard outperforms OpenVPN by approximately 57% in throughput while using less CPU.²² It handles network transitions more smoothly, uses less data overhead, and establishes connections faster.

So why does OpenVPN still matter?

Flexibility: OpenVPN can run over TCP port 443, disguising itself as HTTPS traffic to bypass firewalls. WireGuard is UDP-only.

Enterprise features: Certificate revocation, LDAP integration, detailed logging, and management tools have been built around OpenVPN for two decades.

Platform support: OpenVPN runs essentially everywhere. WireGuard is newer and still building its ecosystem.

Audit trail: OpenVPN's code has been analyzed by security researchers since 2002. WireGuard is younger and has less exposure.

The market is moving toward WireGuard for new deployments. But OpenVPN remains deeply embedded in enterprise infrastructure, and its flexibility means it will remain relevant for years to come.

Related Ports