VPN servers that are based on OpenVPN might be vulnerable to remote code execution attacks using Shellshock which is a family of security bugs that affects the Bash Unix shell.
Fredrik Strömberg, co-founder of a commercial VPN service called Mullvad posted on Hacker News a possible attack vector for OpenVPN
“OpenVPN has a number of configuration options that can call custom commands during different stages of the tunnel session,” Strömberg said. “Many of these commands are called with environmental variables set, some of which can be controlled by the client.”
All you have to do to make sure your OpenVPN servers is free from this vulnerability is to upgrade your bash to the latest version. For example, on RedHat or CentOS, do the following to fix this issue:
yum update bash