On March 16, we will begin upgrading our servers to OpenVPN version 2.4.0. In conjunction, we will introduce changes to our ports, protocols, and ciphers, all of which will provide improved service to our customers. We will also upgrade our server certificates from 2048-bit RSA with SHA1 to 4096-bit RSA with SHA512.
How does this affect you?
If you are using the Mullvad client, you do not need to do anything as the changes will be implemented automatically.
If you have a router running OpenVPN and want to benefit from all of the changes, you need to download a new configuration file and upgrade to OpenVPN 2.4.0. You may experience a drop in connection as we restart servers. The updating process can be monitored in our VPN servers guide.
With the upgrade to OpenVPN 2.4.0 comes support for the AES cipher mode GCM which offers better performance on most modern hardware. It will also be possible to use any cipher on any port. BF-CBC, AES-CBC, and AES-GCM will become available on all ports and protocols. Please note that AES-256-GCM will always be the preferred default with OpenVPN 2.4.0.
New ports added
We are adding more ports:
- TCP port 80
- UDP port 1301
- UDP port 1302
Why make these changes?
- We want to offer AES on TCP. Currently, we only offer it on UDP.
- We want to speed up our migration from Blowfish to AES. AES is more secure, has hardware support, is more efficient, and scales better.
- We are adding more ports in order to efficiently use our server capacity. This will allow us to offer faster speeds.
- Moving to 4096-bit RSA certificates with SHA512 will guarantee stronger security.
For a complete list of available ports and to read more, check out our guide on advanced options in the Mullvad client.
If you have any questions, please contact email@example.com.