Port 1194 (UDP/TCP) – OpenVPN

What runs on port 1194?

Port 1194 is the registered default for OpenVPN, an open-source VPN built on the TLS/SSL stack via the OpenSSL library. It creates encrypted remote-access and site-to-site tunnels, authenticating peers with certificates and optionally username/password, and carries traffic over UDP 1194 by default or TCP when firewall traversal is needed. The server is normally internet-facing so remote clients can reach it.

Why it matters for security

An OpenVPN endpoint is a gateway into the internal network, so a compromise can be catastrophic. Servers that allow password-only authentication are exposed to brute force and password spraying. Stolen or leaked client configuration files, private keys, and certificates let an attacker connect as a legitimate user. The daemon and its OpenSSL dependency have also had vulnerabilities that enable denial of service or worse if left unpatched.

How it's attacked

Attackers identify OpenVPN by its handshake fingerprint, then brute-force or spray credentials against weakly protected servers. Phishing and endpoint compromise are used to exfiltrate .ovpn profiles and key material, granting direct tunnel access. Malformed packets and connection floods target the daemon for DoS, and known CVEs in OpenVPN/OpenSSL are exploited on unpatched hosts.

Hardening checklist

Require certificate authentication plus MFA and disable password-only logins. Enable tls-auth/tls-crypt so the server silently drops packets lacking a valid HMAC, defeating most scanning and DoS. Keep OpenVPN and OpenSSL patched, rate-limit and IP-filter connection attempts, and monitor authentication logs for spraying. Use the nmap snippet above to fingerprint OpenVPN on servers you are authorized to test.