Post-Quantum Cryptography#

It is possible to configure your VPN server to be more resistant to CRQCs (Cryptographically Relevant Quantum Computers). There appears to be some urgency. We aim to NOT panic here, and slowly adopt PQC algorithms when their implementation is stable and readily available on operating systems we support without having to jump through hoops, or take on additional maintenance work.

To be very specific: for now we aim to protect against HNDL (Harvest Now, Decrypt Later) where an adversary stores all VPN traffic until such time CRQCs are available to them.

We need to look at the following components:

• Web Server TLS (OAuth, API)
• WireGuard VPN connection
• OpenVPN VPN connection

To reach protection against HNDL, we do not need to go “all the way” and do not (yet) deploy post-quantum public key algorithms like ML-DSA. We may need to do that in the coming years though.

Web Server TLS#

For this, all that is needed is to upgrade the VPN server host OS to one of the following versions:

• Debian >= 13
• Enterprise Linux >= 10
• Ubuntu >= 26.04 (not yet available as of 2026-04-09)

This will make TLS connections, in combination with modern web browsers and our VPN apps automatically use the MLKEM768X25519 key exchange algorithm.

Our most recent VPN app versions are all compiled using Go >= 1.24 and therefore also support MLKEM768X25519 for the API calls. The VPN apps also already enforced TLS >= v1.3.

If you installed your VPN server some time ago, it makes sense to review the TLS server configuration to make sure you require TLS >= v1.3.

OpenVPN#

For OpenVPN we enforced TLS >= v1.3 already. If the OpenSSL library is modern enough, i.e. >= 3.5.0, MLKEM768X25519 will also be used for the TLS handshake.

It is possible to enforce MLKEM768X25519 on the server. This will block old OpenVPN clients that do not (yet) support MLKEM768X25519.

NOTE: available in vpn-user-portal >= 3.15.0

Modify /etc/vpn-user-portal/config.php:

// ...

'OpenVpn' => [
    // ...

    'pqKeyAgreement' => true,

    // ..
],

// ...

NOTE: our current macOS and iOS application does not yet support MLKEM768X25519 with OpenVPN, it will in versions >= 4.1.0.

NOTE: when enabling this option, do NOT forget to “Apply Changes” on your server and/or node(s):

$ sudo vpn-maint-apply-changes

NOTE: our OpenVPN configurations also use tls-crypt, but as the symmetric key is shared among all clients connecting to the same profile, this is not considered adequate and may not offer much protection anyway. We never got around to implementing tls-crypt-v2 as that would require its implementation in the macOS/iOS OpenVPN implementation we use.

WireGuard#

NOTE: available in vpn-user-portal >= 3.15.0

For WireGuard, we enabled the PresharedKey option. Every configuration file will have its own unique symmetric key. This will be used in combination with the existing public key cryptography, and result in post-quantum resistance.