Portal Home > Knowledgebase > Extra services > ECC (Diffie-Hellman) > Connect to Proxy.sh OpenVPN network using ECC (Diffie-Hellman) encryption

Connect to Proxy.sh OpenVPN network using ECC (Diffie-Hellman) encryption

Proxy.sh is among the first VPN providers to provide a transparent access to an ECC-powered OpenVPN network. Indeed, we provide Diffie-Hellman initialized with 4096 bit key along with ECDH curve secp384r1. Our full control channel is made of TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384 while the associated cipher is AES-256-CBC and the auth SHA512, making the whole combination one of the strongest known to cryptographic research field. We provide this ECC environment on port 465 (both UDP and TCP).

In order to connect to this ECC network, you first need to go to our Network Status in order to locate the VPN nodes which have ECC enabled. Indeed, not our entire network is configured with ECC.

Once you have chosen one or several VPN nodes with ECC enabled, you need to make sure to use an OpenVPN client which is compatible with ECC encryption. To this date, only the OpenVPN master branch has compatibility with ECC. Here is how to build OpenVPN from the master branch on Unix:

          yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel wget git-core libtool gcc-c++ libgcrypt-devel snappy-devel lzo-devel libtool libgcrypt-devel -y
          wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
          wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
          rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
          rpm -Uvh lzo-*.rpm
          tar zxf openvpn-xor.tar.gz
          cd openvpn-xor
          autoreconf -vi
          ./configure
          make

The same essentially applies to Windows and Mac if you have the right skills to compile the libraries. For neophytes users, we unfortunately have no easy setups. We are working hard on implementing such option into Safejumper.

Now, you should have an OpenVPN client that is compatible with ECC, and you should have chosen some of our VPN servers where ECC is supported.

In order to connect, you simply need to use the certificate found at https://proxy.sh/proxysh-ecc.crt or to replace in your .ovpn config the <ca> entry below:

          <ca>
          -----BEGIN CERTIFICATE-----
          MIIB3DCCAWKgAwIBAgIJAMyliDCXM4kcMAoGCCqGSM49BAMCMBMxETAPBgNVBAMT
          CHByb3h5LnNoMB4XDTE0MTExMzExNTk1NVoXDTI0MTExMDExNTk1NVowEzERMA8G
          A1UEAxMIcHJveHkuc2gwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATwczmfgxUfobt/
          7S+A2P1tYNOYATTpxcIEAtUVCgywp1Fd6tKAttCqvpHz8PDOb4NYS6JONivO5yaT
          jfDiTrWRGZeYf2JsNs6byv/A9qxvDCcJ49EotonMJYX4+TQq75ejgYEwfzAdBgNV
          HQ4EFgQU6miAiqVUQAYeUP4LnZfKNdfQjUkwQwYDVR0jBDwwOoAU6miAiqVUQAYe
          UP4LnZfKNdfQjUmhF6QVMBMxETAPBgNVBAMTCHByb3h5LnNoggkAzKWIMJcziRww
          DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDaAAwZQIwd5vR
          8fTrEdXLKZjiXeCjH/vxnnbelGcgpFz/r0cdr8YISa20w2zfGVB1+8XRhaYHAjEA
          yZeceiNW01Uj7DnjgWdLJWxcuduP1eTojzcQTGcFRPGd45w6pM1oGvLBhCD+QDzw
          -----END CERTIFICATE-----
          </ca>

Please also make sure to modify your .ovpn config to connect to port 465. Your .ovpn config file should therefore essentially look like this:

          client
          dev tun
          proto udp
          remote <IP_of_VPN_server_with_ECC> 465
          auth-user-pass
          resolv-retry infinite
          nobind
          cipher AES-256-CBC
          auth SHA512
          verb 3
          route-method exe
          route-delay 2
          comp-lzo
          persist-key
          persist-tun
          <ca>
          -----BEGIN CERTIFICATE-----
          MIIB3DCCAWKgAwIBAgIJAMyliDCXM4kcMAoGCCqGSM49BAMCMBMxETAPBgNVBAMT
          CHByb3h5LnNoMB4XDTE0MTExMzExNTk1NVoXDTI0MTExMDExNTk1NVowEzERMA8G
          A1UEAxMIcHJveHkuc2gwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATwczmfgxUfobt/
          7S+A2P1tYNOYATTpxcIEAtUVCgywp1Fd6tKAttCqvpHz8PDOb4NYS6JONivO5yaT
          jfDiTrWRGZeYf2JsNs6byv/A9qxvDCcJ49EotonMJYX4+TQq75ejgYEwfzAdBgNV
          HQ4EFgQU6miAiqVUQAYeUP4LnZfKNdfQjUkwQwYDVR0jBDwwOoAU6miAiqVUQAYe
          UP4LnZfKNdfQjUmhF6QVMBMxETAPBgNVBAMTCHByb3h5LnNoggkAzKWIMJcziRww
          DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDaAAwZQIwd5vR
          8fTrEdXLKZjiXeCjH/vxnnbelGcgpFz/r0cdr8YISa20w2zfGVB1+8XRhaYHAjEA
          yZeceiNW01Uj7DnjgWdLJWxcuduP1eTojzcQTGcFRPGd45w6pM1oGvLBhCD+QDzw
          -----END CERTIFICATE-----
          </ca>

Voilà, you're now fully aware of how to connect to our OpenVPN network with ECC encryption. Please note that if you have various curves to suggest, we will happily deploy them on various ports, just do not hesitate to get in touch with us.

Related Knowledgebase Articles