[lipnitsk]

Won't the server need to accept a TCP connection to receive the cert? If so, the port will show as open. I suppose with UDP it is possible.

[achillean]

I believe the recommended configuration is to run OpenVPN via UDP and only accept connections from trusted certificates. If you're running it on TCP then a scanner would be able to see that you have an open port but still can't see what's running on it.

[xorcist]

It does, but what you see is not a portscan, it is a lookup from the Shodan database and they store information about known services on the public Internet.

[achillean]

Shodan does something like a portscan of the entire Internet, albeit fewer ports than if you did nmap -p-