AmneziaVPN is an open source VPN specifically designed for users in authoritarian countries with significant online censorship of content, services, and circumvention tools. The platform modifies standard VPN protocols to mask internet traffic, making it harder for sophisticated censors to detect and block. AmneziaVPN also allows users to set up and host their own VPN server.
Audit Description
OTF’s Security Lab partner 7Asecurity, performed a “white box” security audit of the AmneziaVPN platform. A white box audit provides testers with full access to the source code, test systems, and documentation. 7ASecurity conducted this third security audit of AmneziaVPN over the course of 18 days in December 2024 and January 2025.
Scope
The audit focused on AmneziaVPN’s entire ecosystem, including user-facing applications, custom VPN protocols, and infrastructure. There were three new goals for this iteration of the tool’s audit: 1) reviewing the security, privacy, and recent code updates of the VPN; 2) examining the supply chain to ensure that the distribution/download/update process, as well as other dependencies that Amnezia’s code relies on, are secure and; 3) creating a lightweight threat model documentation, which identifies threats and vulnerabilities, and provides mitigation suggestions.
Findings
Overall, auditors found that AmneziaVPN has strong safeguards against a broad range of potential attacks. They identified two critical and one high-risk vulnerability:
Critical Risks:
1. Arbitrary RCE via OpenVPN Config Import: AmneziaVPN users import configuration files (OpenVPN config) to set up their VPN connection. Auditors identified two weaknesses in the security check that scans these files for malicious code. A potential attacker could exploit these flaws by tricking a user to import a malicious configuration file, which would give the attacker full control of the user’s system with administrator privileges (called “Remote Code Execution” or RCE).
2. VPN Config Tampering via Exposed Admin API: AmneziaVPN offers a premium service for users who don’t want to set up their own server. However, the administrative control system (Admin API) for this service had several major security weaknesses, including the failure to distinguish between these premium-service users from administrators. Any paid subscriber could use their own credentials to access admin-level functions. An attacker could thus gain administrative control, potentially compromising all of the premium users’ VPN connections (VPN config tampering).
High Risk:
1. DoS via Insecure Communication in AmneziaVPN Client: Communication between the AmneziaVPN Client and AmneziaVPN’s gateway was sent over HTTP (unencrypted and insecure), making it possible for a potential threat actor to block users from connecting to the VPN through a Denial of Service attack (DoS).
Auditors also identified one medium and two low-risk vulnerabilities, including the disablement of Perfect Forward Security (PFS), which ensures that session keys in VPN connections remain secure (without PFS, an attacker could decrypt previously captured VPN traffic).
Remediation
Upon retesting, auditors found that AmneziaVPN resolved all the identified vulnerabilities.
You can read the Audit Report HERE
You can read OTF's Blog HERE
