ATTENTION
We'll be deprecating our RSA OpenVPN configs soon.
See this post for more details

We're deprecating the RSA configs

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!
User avatar
df
Site Admin
Posts: 480
Joined: Thu Jan 01, 1970 5:00 am

We're deprecating the RSA configs

Post by df » Sun Jul 04, 2021 10:13 pm

We'll be deprecating our RSA OpenVPN configs soon, so if you're still using those you need to switch over to the ECC ones (or use WireGuard).

The reason we're doing this is because the RSA configs only exist for people using ancient 2.3.x versions of OpenVPN, and according to https://community.openvpn.net/openvpn/w ... edVersions version 2.3.x reached it's end-of-life last month.
We've kept supporting it for this long because a handful of stubborn clients are still using 2.3.x, probably on certain embedded devices that sometimes make it difficult to upgrade, but it's time to force those clients to upgrade. The last 2.3.x release was on Sep 25, 2017, so if you're still using 2.3.x, you really need to upgrade.

Another reason we've had the RSA configs for so long is that a lot of our clients use Ubuntu, and Ubuntu's repos are slow about updating the OpenVPN plugin for Network Manager, which is also slow at supporting new features in OpenVPN. https://gitlab.gnome.org/GNOME/NetworkM ... aster/NEWS says they didn't add support for 'tls-crypt' until version 1.2.10, and they didn't add support for 'tls-version-min', 'tls-version-max', and 'compress' until version 1.8.12. https://packages.ubuntu.com/search?suit ... chon=names says everything is using 1.8.12, except bionic which is still on 1.8.2. So if you're still using bionic, you should use the terminal to connect to the VPN instead of Network Manager, or just upgrade.

If you try to use the RSA configs on a more recent OpenVPN you'll notice that it gives warnings about the "cipher AES-256-CBC" config directive. That's only there so that it'll work with those ancient OpenVPN versions, the server would still negotiate the cipher to AES-256-GCM if your OpenVPN supports it, and the TLS cipher would upgrade to whatever the best available is too. It's still more secure than the defaults most VPN providers use, but it's adding confusion for a lot of new customers, especially the ones new to Linux. Even though we've been recommending the ECC configs for years now, a lot of them are still using the RSA configs instead. So to avoid the confusion, and because of the other reasons listed above, we're ditching the RSA configs.