OpenVPN clients are a bit too generous when accepting
configuration options from a server. It is possible to transmit
environment variables to client-side shell scripts. There are some
filters in place to prevent obvious nonsense, however they don't
catch the good old LD_PRELOAD trick. All we need is to put a file
onto the client under a known location (e.g. by returning a
specially crafted document upon web access) and we have a remote
root exploit. But since the attack may only come from authenticated
servers, this threat is greatly reduced.