While this is arguably a misfeature, it's not like anyone reading the documentation wouldn't know about it, and you have to explicitly enable it. It does not seem too much of a problem to me. Joachim
"Secure by default" is not just a catch phrase. it's a really good idea. By making the default behaviour to be insecure (once enabled) the result will be many more insecure sites than if it was secured (i.e. authentication required) and had to be made insecure by design. Unfortunately although they have disabled it by default, once enabled it presents a huge security hole that most people would not expect. I would not expect an administrative service to be completely lacking in security once enabled, I suspect others are in the same boat.
As a developer: If you disable it by defaultAnd you make it use strong encryption such as TLS/SSL by default (linking to OpenSSL isn't to terribly hard)
And you require a user account to be created and passworded, or provide the ability to use PAM for example and require that a user belong to a specific group (openvpnadmin for example)
Then you make it much more difficult for people to end up with an insecure system.
-Kurt