Tuesday, January 7, 2014
We are pleased to announce that our custom VPN Software for Windows is available: download it here (screenshot)
VPN Software features:
- Lightweight interface.
- No installation required (except for TUN/TAP v9 drivers required by OpenVPN).
- Support for OpenVPN, PPTP and L2TP/IPsec.
- VPN servers list and news are updated automatically.
- Software update notifications.
- It works on all Windows versions, both 32 and 64-bit.
Just unzip it to a folder and run it. It will prompt you to install OpenVPN TUN/TAP driver in case it is not already installed.
OpenVPN 256-bit is not yet implemented on all servers. Full roll-out by end of January - beginning of February.
Feedback and feature requests are very welcome, please send them to firstname.lastname@example.org
A version for Mac will be developed in the next 2 months, hopefully earlier.
Stronger OpenVPN encryption
We are currently updating all our servers to support a much stronger OpenVPN encryption level (already enabled on most servers. Full roll-out by the end of January - early February).
- 4096-bit RSA keys.
- AES-256-CBC cipher for tunnel data channel.
- PFS (Perfect Foward Secrecy) with hourly rekeying.
- SHA512 for HMAC auth.
- Certificates generated in a truly paranoid way using multiple, high quality entropy sources.
When it comes to encryption strength, it's not the ciphers that matter most - but the quality of encryption keys and the entropy sources used to generate them. Therefore, all our new keys (CA + server keys) were generated offline on a secure machine using multiple entropy sources: quantum RNG, Freebsd's Yarrow
, /dev/random on Linux with the haveged
entropy daemon. System's available entropy was 4096 bits (maxed-out) during OpenSSL seeding. All entropy sources passed the tests (rngtest
) successfully before using them and were destroyed after serving their purpose. We will provide more details in a blog post later.
Private DNS resolvers
We're implementing our own DNS resolvers that will be used by the VPN servers and users. This feature will protect VPN users from potential DNS query monitoring/wiretapping in datacenters or by data carriers.
Most of our VPN Nodes are currently using the service. We will roll-out the new service on all servers by the end of January - early February.
Private DNS features:
- All DNS queries from VPN users to DNS resolvers are transmitted via an encrypted channel (AES-128 CBC, PFS, 4096-bit RSA certificate-based authentication between VPN nodes and DNS resolvers).
- No DNS queries are logged on resolvers.
- Resolvers are querying the DNS root servers directly.
- Each private resolver generates random DNS queries for 1 million existing domain names (a lot more than 10 million actually, including the subdomains), mixing these "noise" queries with legitimate queries from VPN users. This way we ensure that potential monitoring of our DNS resolvers will be totally inefficient.
- No DNS resolvers are hosted in USA and UK, for obvious reasons.
More details on the Private DNS feature will be provided in a blog post. Meanwhile, if you need to know more or just want to share your thoughts, don't hesitate to get in touch with us.