Monday, January 1, 2024
Connections using OpenVPN XOR, AES-128 and AES-256 using outdated apps/server profiles will stop working on January 3, 2024, at 14:45 UTC time. You must use our latest apps to be able to connect with those 3 connection types, or the up to date OpenVPN server profiles with routers/3rd party apps.
What is the reason?
- One of our CA (Certificate Authority) certificates which validates the encryption keys for OpenVPN was generated 10 years ago, with a validity of 10 years. This CA is used for OpenVPN XOR, AES-128 and AES-256 bit connection types.
What is the impact?
- If you use any of those 3 OpenVPN connection types, either with our apps or on your router/with 3rd party apps (e.g. OpenVPN GUI, Tunnelblick, Network Manager on Linux, terminal and so on) - they will stop working once the CA certificate expires.
- If your connection type is OpenVPN ECC, there is nothing to worry about (yet). New updates will be rolled out in the coming months to renew the ECC CA.
What needs to be done?
- if you use our apps to connect, you must update to the latest versions. Updates are automatic on Android only via Google Play, for Windows/Mac/Linux - you must download and install the latest versions.
- For routers/3rd party apps/manual connections (e.g. via Network Manager on Linux, Tunnelblick on Mac), you may need to replace the CA certificate or the server profiles.
- Windows app v4.4.8: installer (64-bit, default), installer for obsolete 32-bit
- MacOS app v4.3.1: installer
- Android app v1.1.43 (phones/tablets): Play Store, .apk file (if you used an old .apk/not a recent release, you may need to erase the cache/data of the app)
- Linux v2.1: .deb package
- Server profiles for routers/3rd party apps: repository
The new CA has been generated on November, 2022, and it is available at our .ovpn repository (the ca.crt file) along with the server profiles.
If you imported the server profiles for routers/3rd party apps recently, you are probably already using the new CA. You can copy & paste the CA here and look at the "Expires" field, to make sure that it doesn't show "Jan 03, 2024".
What about the default connection type, OpenVPN ECC?
- For OpenVPN ECC, which is our default and most used connection type, the CA is valid until July, 2024. Updates with a new ECC CA will be released at a later date, in the coming months.
Are there any expected downtimes / maintenance works?
- Not really, the impact is minimal if you are already using the up to date apps/profiles. All servers have been prepared well in advance for the CA transition, but we are going to re-check during January 2, 3 and 4 to make sure that the transition was made as expected on all servers. In some cases, there may be forced reconnections.
We already published the changes and highlighted the importance of these updates in the Changelog page, which have been announced several times recently through the News tab of our apps and through our website.
If you received this announcement via email, don't reply to it, it has been sent from firstname.lastname@example.org which is an address that isn't monitored for incoming messages.