To provide the most stable connection possible, Private Internet Access (PIA) is eliminating PIA-specific patches to OpenVPN. In preparation for this migration, PIA is removing certain settings within the desktop and mobile applications that are no longer supported.
Removed Settings:
| Setting | Old Choices | New Setting |
| Data Authentication |
(GCM cipher): GCM (CBC or no encryption): SHA1, SHA256, None |
(GCM cipher): GCM |
| Handshake | RAS2048, RSA3072, RSA4096, ECC-256k1, ECC-256r1, ECC-521 | RSA4096 |
Additionally, the Data Encryption choice of “None” will no longer be available (other settings will still be supported).
Motivation:
Eliminating these patches allows PIA to provide several benefits:
-
Improved compatibility: Enhances manual connection stability.
-
Reduced risk: Minimizes issues caused by custom patches.
-
Faster deployment: Allows for more responsive OpenVPN updates and security fixes.
These specific patches originally allowed you to customize encryption and authentication settings on a per-connection basis. However, OpenVPN 2.4 and later now support cipher negotiation as a standard feature, which supersedes the functionality of the older patches. PIA is moving forward with the most secure options by default.
Data Authentication
Using the Data Authentication setting is only relevant when using a CBC cipher. When using a GCM cipher (the default in the Desktop and iOS applications), data authentication is provided as part of the GCM construction itself.
When connecting to the VPN, GCM ciphers are preferred over CBC as they are much more efficient when AES acceleration is present. For systems without AES acceleration, we recommend that users connect over WireGuard, as the most efficient software alternative. (This includes Intel/AMD processors older than approximately 2013, ARM processors without AES extensions, etc.).
For the reasons mentioned above, we have decided to drop the support for CBC ciphers, as such, PIA users will no longer be able to alter our application settings to connect over these ciphers starting with PIA 3.11.0 for Mobile applications and PIA 2.9.0 for Desktop applications.
Handshake
Using the Handshake setting determines how the client authenticates the VPN server (it determines the server certificate used). This setting does not impact the throughput or performance of the VPN connection. The default setting was RSA-2048, but after eliminating this setting, the PIA application will now use RSA-4096 (the strongest option) for all connections connecting over OpenVPN.
When connecting over the WireGuard protocol, the PIA application already uses the RSA-4096 certificate to authenticate the server.
If you have any questions or issues, please contact PIA Support by submitting a ticket here.