There many traps when it comes to the OpenVPN configuration which your VPN provider has to offer, in this short tutorial I will show you what you need to know and which points are really important to look at.
How to edit an OpenVPN configuration file?
If the VPN provider offers a .openvpn configuration file then you simply can edit it with every text editor you like, the file is just a renamed text file with another extension so that most OpenVPN client software or your router can read it.
What are the important points?
Keep in mind that the following configuration is not supported by every VPN provider, this means you might get an error or can’t connect to your VPN, in this case, you need to do research which methods your provider supports.
- You should check if your processor has AES-NI instructions. If yes then the key exchange should be protected from SPA (Simple Power Analysis) and DPA (Differential Power Analysis) attacks + AES will be a lot faster.
- If this is your own server, you should use at least a 4096 bits RSA keypair. 2048 bits is becoming weak (in terms of looking into the future). However, 4096bit is overboard. 2048bit/AES256 is currently uncrackable and will be until at least 2030, this is also the reason most VPN Providers still using 2048 bits. Using 4096bit would provide only a minute amount of users an actual benefit while proving a hindrance and inconvenience for 99.999999% of users. 3072bit/AES256 will be uncrackable until at least 2050+ by consumers, and may possibly be crackable by a server farm by then, but even that’s iffy… even then, PFS via DHE would still guarantee even if one decrypted one VPN session, it would likely be inconsequential since one would need to decrypt every additional session using a different decryption key. Simply disconnecting/reconnecting to the VPN every 30 min would provide the paranoid a better solution. NSA & D.o.D uses 2048bit/AES192, which is been being acceptable for use until ~2020 IIRC. They at least write it down in their own public “memorandum on encryption“. According to their documents, 128 bits is equal to RSA 3072 is currently fine which doesn’t waste many resources for nothing.
- The currently provided parameters can be found on the official Man page.
# Use at least the version 1.2 of TLS!
# Use ECDHE (Elliptic curve Diffie–Hellman) for key exchange + RSA for authentication + AES-256-GCM-SHA384 which is authenticated by Galois/Counter Mode with SHA384 for the handshake
# Use AES-256-CBC (Cipher Block Chaining) for datas encryption
# Use SHA512 to authenticate encrypted datas
# Renegociate encryption keys each minutes
# Using tls-cipher and tls-version-min is not needed and seems to be a bug in OpenVPN
# You can manually define ecdh-curves.
# Prevent possible DNS leaks
OpenVPN 2.4.1. and ecdh-curves
Since OpenVPN 2.4.1+ you can define manually which curves you like to use, the following curves are supported:
- Oakley-EC2N-3 Oakley-EC2N-4
Your clients must support these newer options. If you#re unsure which curves are supported by your VPN-provider, ask them!
The following example is for PIA
remote swiss.privateinternetaccess.com 1198
Some OS (like iOS) need the certificate directly within the configuration, this would look like (for Chicago servers):
remote us-chicago.privateinternetaccess.com 1198 udp
remote us-chicago.privateinternetaccess.com 502 tcp
setenv CLIENT_CERT 0
—–BEGIN X509 CRL—–
—–END X509 CRL—–
Please keep in mind that PIA (and other providers) also offering specific configuration files for mobile devices as a download – it’s a bit hidden mostly. But most providers offering a lot of guidance on their FAQ or HelpDesk pages.
TCP vs. UDP
Many VPNs allow you to connect to their servers using two different communication protocols. And while might not make as much of a difference to your security, it’s still good to know which one to choose.
Transmission Control Protocol (TCP) is a “stateful protocol,” which means, in simple terms, that the receiving computer confirms its receipt of the data packet being sent. If the sending computer doesn’t receive a confirmation, it sends the packet again.
This ensures that your data is transmitted reliably and that packets don’t get dropped.
User Datagram Protocol (UDP) is a “stateless protocol,” so it doesn’t wait for confirmation of receipt from the other computer. This makes communication faster, but also opens it up to the potential of communication errors.
In general, I recommend using UDP in most of the time already set by every VPN provider to UDP) unless you have communication errors, in which case you should switch to TCP. Many VPNs do this by default, but if you’re given a choice, it’s a good strategy to stick with.
Why are my speeds so slow?
OpenVPN in general only supports bandwidth rates up to 150~200 MB/s (max) this is due it’s implementation.
You usually not need to tweak additional parameters in your configuration file, the client side and your OS/Router should handle this, however, there are in some rare situations problems and then you should think about it changing your configuration file. As from what I know there is currently under Linux or Windows no speed problem (dunno about MacOS).
If there is something wrong just ask your VPN-provider instead and show them your configuration to find together a solution, this also might help others. In general, you should not mess with the configuration unless you have read the OpenVPN Man Page and fully understood what these toggles really do!
Most ‘good’ VPN-Providers already offering solid configurations, some call them ‘strong’ which often only increases the cipher AES level others might not even provide stronger configurations and then this little guide might help you.
From what I tested the top 10 used VPN providers, like NordVPN, PIA, Proton, ExpressVPN, IPVanish, Windscribe, Perfect Privacy, VyprVPN, TunnelBear, StrongVPN and PureVPn already offering good configurations which not need to be changed unless you have some doubts or you’re really been monitored.