Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

New openVPN ECC config files

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
cryptomon
Posts: 30
Joined: Fri Feb 23, 2018 7:32 am

New openVPN ECC config files

Post by cryptomon » Sun Mar 18, 2018 2:09 pm

I must have missed something, is there somewhere one can read up about the new ECC config files? (https://github.com/cryptostorm/cryptost ... tion_files)
I've worked out it stands for eliptic-curve-cryptography and from the readme: "provide the best/strongest crypto available to OpenVPN at the moment." The readme says "Unlike the old ones, these new instances will be cross-platform." however, when I opened a udp version it says "remote windows-lisbon.cryptostorm.nu 5060 udp" Is this still okay for Linux?

A brief explanation would help please?


Topic Author
cryptomon
Posts: 30
Joined: Fri Feb 23, 2018 7:32 am

Re: New openVPN ECC config files

Post by cryptomon » Mon Mar 19, 2018 4:50 am

cryptomon wrote:I must have missed something, .... Is this still okay for Linux?
My apologies, it turns out I didn't read the entire comments in the .ovpn files, which did provide further insights....
Quote:
# Even though the hostname below says "windows", the configuration for
# these ECC instances are actually cross-platform. It was just easier
# to reuse the DNS used by the Windows instances since the ECC instances
# are on port 5060 of all of the Windows instance IPs.

User avatar

parityboy
Site Admin
Posts: 1254
Joined: Wed Feb 05, 2014 3:47 am

Re: New openVPN ECC config files

Post by parityboy » Mon Mar 26, 2018 2:59 am

@OP

No need to apologise, I can see how that could cause confusion. Too be honest, I think it would actually be useful to create "linux-" prefixed DNS entries which point to the same IP addresses and have a separate set of configuration files.

The fact that they would effectively be "duplicates" is something worth swallowing in this case. :thumbup:

User avatar

df
Site Admin
Posts: 420
Joined: Thu Jan 01, 1970 5:00 am

Re: New openVPN ECC config files

Post by df » Wed May 23, 2018 11:29 pm

@parityboy
I decided not to use "linux-" because eventually we'll probably be ditching the whole linux/windows separation and switching completely to ECC.
Plus this way linux clients connecting to ECC will get to use the Windows IPs they normally don't get to use.
We haven't yet switched to ECC completely simply because some customers are still using old routers and other devices that are stuck on OpenVPN 2.3.x and don't provide an easy way to upgrade, and ECC requires 2.4.x.
But it seems like less and less people are having that issue.
I think a good time to do the switch is when OpenVPN 2.5 comes out. By then everyone on 2.3.x should be using at least 2.4.x.
And that way I could do ECC on all ports, but maybe set aside another port for whatever neat new features 2.5 will include :-d

User avatar

parityboy
Site Admin
Posts: 1254
Joined: Wed Feb 05, 2014 3:47 am

Re: New openVPN ECC config files

Post by parityboy » Fri May 25, 2018 5:53 pm

@df

To be honest, I'm not so sure regarding the routers. Routers supporting OpenVPN (e.g. ASUS) are pretty popular and (being routers) I'm not sure how many firmware updates they receive after launch or if those updates include updated OpenVPN instances (I doubt it).

Most people are still on pretty crap connections so they likely won't notice that their $200 router caps out at 5Mb/s when doing VPN and those that do will swallow it for the sake of privacy. Ironically, the ECC instances will likely eek out a little more performance while the router likely won't be updated to take advantage of it.

Just my opinion, but I think those 2.3.x instances are going to be around for a lot longer than you might think...

User avatar

df
Site Admin
Posts: 420
Joined: Thu Jan 01, 1970 5:00 am

Re: New openVPN ECC config files

Post by df » Fri May 25, 2018 6:16 pm

@parityboy
I agree, they will be around for a long time to come, but eventually we have to drop support for the oldest configurations.
Backwards compatibility is understandable to a degree, but once it starts hindering the security/progress of the whole network, it's time to make changes (like how we dropped XP support, even though it is still possible to connect on XP using an older OpenVPN GUI).
But since it most likely will take a long while (if it happens at all) for those people to upgrade to 2.4.x/2.5.x, 2.3.x will still be supported.
I guess what we could do is what we're doing with the ECC instances, like where port 5060 is reserved just for ECC, but instead do that for the older instances on another port.
That way all the other ports could be used for ECC, and I could still reserve other ports for other features.

Post Reply