Encryption Overview

This page aims to list the encryption ciphers and other relevant info for the various VPN apps and methods we support. Variations in app versions and devices may result in different cipher selection.

Contents

VPNGUI

The WEB method in VPNGUI defaults to ECDHE-ECDSA-AES128-SHA. This can be changed in the VPNGUI Preferences > Connections list. Our servers identify with Letsencrypt certificates. LetsEncrypt currently uses 2048-bit SHA256 RSA certificates.

The OpenVPN method uses the OpenVPN defaults: AES-256-GCM for the data channel, ECDHE-RSA-AES256-GCM-SHA384 for the control panel. Our servers identify using a 4096-bit SHA256 RSA certificate from our private CA.

Chrome extension

Typically we see Chrome use TLS1.3 with X25519, and AES_256_GCM. Our servers identify with Letsencrypt certificates, just like VPNGUI in WEB mode.

Firefox add-on

Typically we see Firefox use TLS1.3 with TLS_AES_256_GCM_SHA384. Our servers identify with Letsencrypt certificates, just like VPNGUI in WEB mode.

Shadowscale

Shadowscale currently uses ECDHE-ECDSA-AES128-SHA. Our servers identify with Letsencrypt certificates, just like VPNGUI in WEB mode.

V2Ray

We support all V2Ray ciphers. Typically your v2ray app will use either chacha20-poly1305 or aes-128-gcm.

WireGuard

WireGuard uses chacha20-poly1305 with Curve25519. Our setup uses bot the public/private keys as well as a PSK.