By upgrading OpenVPN to 2.5 on our server side, we have improved some security issues that our audit highlighted and enabled support for ChaCha20-Poly1305 in the process.
The final parts of our 2020 Infrastructure audit report are now in place; an upgrade to OpenVPN 2.5 on all our OpenVPN. This improves some security issues that our audit highlighted, in the form of MUL-03-008. The most ideal solution we found was to upgrade OpenVPN and the relevant code at the same time.
As a bonus we have removed Blowfish as one of our fallback ciphers and in its place we have added ChaCha20-Poly1305; the same that our WireGuard® relays make use of. Though we haven’t set ChaCha20-Poly1305 as the default, it is in place now for potential usage in future upgrades.
This upgrade to OpenVPN also scales the initial and ongoing performance of OpenVPN, the performance of network throughput along with our next App Beta can see speed improvements.
However, as with all positives, there also have to be some negatives: these changes have also meant that our server-side upgrade has removed support for client-side versions of OpenVPN lower than 2.4.
To read up exactly what technical issue we solved, have a look at our recently published Infrastructure audit.
"WireGuard" is a registered trademark of Jason A. Donenfeld.