VPN name and shame, part 1: TorGuard VPN

in order to increase awareness, I am going to post info on those VPN providers who make false claims either deliberately or because they don’t really know what they are selling.

Encryption strength is something that many get wrong, and people fall into the trap of buying the “highest encryption grade” VPNs from providers who claim to offer - guess what? - the highest encryption grade. If a landing page is telling you something, then it must be true. Right? …not!

How can you, as a non-tech savvy customer, verify that a provider’s claim is true regarding encryption strength?

First of all you should know how OpenVPN works. It is based on a client-server connection and the client configuration has to match the server configuration, otherwise you won’t be able to establish the connection.

Basically, an OpenVPN server won’t provide you 256-bit encryption if the client is not configured to use 256-bit encryption. So you can check the .ovpn files from the VPN provider and see if there’s something like “cipher AES-256-CBC” and/or “keysize 256” in the file. Refer to OpenVPN documentation for more info on config options.

If the cipher is not specified, then OpenVPN will use the default cipher which is BF 128 (Blowfish, 128-bit keysize). Another thing you can do is to check the connection log file, because it will tell you what encryption cipher it is using. Depending on provider, you may need to add a “verb 3 [to 5]” line in the .ovpn config file to see that.

There is absolutely nothing wrong with BF 128-bit like being insecure - it’s only a matter of claims & deceiving customers into buying something that’s different from reality. I don’t know about you, but I for one don’t like 1. liars or 2. those who don’t know how their product works.

This being said, I am starting the “Name & Shame series” with TorGuard VPN which is advertising 256-bit encryption.

• Here is their claim
• Here is a sample TorGuard .ovpn config file
• Here is a connection log in verbose mode

and finally, here is a live chat log with their support rep. You can draw the conclusions yourself

Later edit: “verb 2” is enough to see what cipher is used

Glad to see that my iVPN .ovpn files all have that encryption in there!

More relevant: Shouldn’t we remove TorGuard from the sidebar now, or…?

Nice work.

I’ve actually done this auditing with 43 VPN services internally, but i’m waiting to release a report on it.

The only caveat here is that just checking config file might not be enough to make an accusation, because you can push cipher settings from the server.

You did check the client logs with high verbosity though. That will tell you what settings the VPN is using.

I just wanted to make it clear that sometime a .ovpn or .conf file does not tell the whole story all the time.

Greetings reddit.

I’m an official TorGuard rep and would be happy to shamelessly address all the concerns that have been expressed here. While the above posting was unprofessional in nature, we welcome all comments and suggestions from our clients.

First, let’s get a few misconceptions out of the way:

1.) Calling us liars for advertising 256-bit is not a “false claim” as a handful of our OpenVPN servers do use 256-bit. It is just not very popular option among our clients…

2.) BlowFish CBC is perfectly safe.

So, why would many of our OpenVPN servers feature BlowFish instead of AES? The majority of TorGuard’s clients utilize the service to securely download large files - FAST. The average TG client could care less about a few bits and is mainly concerned that the 2GB download will be done before dinnertime. For these users, BlowFish will continue to be the best option as it provides some of the fastest OpenVPN encryption speeds across our network.

As explained to the OP by our advanced support desk, TorGuard is rolling out a brand new network wide update to our VPN servers late this weekend which will now offer three OpenVPN connection options on ALL VPN servers:

Option 1: Standard BF CBC connection
Option 2: AES 256 connection
Option 3: “Stealth” (obfsproxy) connection

Clients who currently care most about speed can continue to use BF-CBC through option 1, while those looking for AES-256 will now have this connection option on ALL VPN SERVERS through option 2. We are also excited to launch our new network wide “Stealth” connections which provide unblock-able VPN access for those in countries where VPN’s are currently filtered. Unlike normal VPN traffic which can be filtered or blocked by an ISP/government, TorGuard Stealth VPN service will appear as regular HTTP traffic making it virtually impossible to block.

If you are using the TorGuard lite or Viscosity VPN software, simply restart the client later this weekend to automatically download this new update.

When our customer’s talk, we listen. Due to popular request(s), we’ve now added new VPN endpoints in the US, Iceland, Norway, Spain, Italy, Germany, India, and Canada, with new connections coming soon in Brazil and China.

Want more from TorGuard? We want to hear from you:
http://torguard.net/submitticket.php

Good thing you got the rep you did. They appear genuine in the transcript. I don’t think you should have went off on them like that. Did you get back to the rep?

Torguard’s stealth openvpn configs use aes-256… I’m looking at them right now …so what the fuck is the issue?

personally these stealth connections are a bit too slow for me. I’ve been using the Canada udp option and am more than happy with speeds.

tigerweeds is baked out of his gourd. either crack blowfish 128bit encryption or go smoke more weed.

I’m connecting through VPN now, I’ve checked my connection logs and .ovpn, there are no mentions of any encryption :O. Are there any other ways to check? I feel like I’m naked in a crowded shopping mall without VPN.

as far as I know from both my own tests and OpenVPN documentation, the cipher can’t be pushed from the server and it has to be in both client and server configs.
Can you please post a reference/more details on how is the cipher pushed if it’s missing in the client config? Thanks

I’m an official TorGuard rep and would be happy to shamelessly address all the concerns that have been expressed here. While the above posting was unprofessional in nature, we welcome all comments and suggestions from our clients.

So it is unprofessional in nature to provide evidence exposing a false claim, but so far you did not provide any proof of which to base your claims off.

Now tell me how professional in nature is to dodge questions, trying to get away with vague answers, “shamelessly” posting a reply that’s more of a PR announcement, yet not showing any proof to base your claims.

You only say that 256-bit is available on a “handful of servers”, while your support rep yesterday said that
it is available on 50% of your servers. I asked him twice which are those servers and he told me to open a ticket.

Since you are publicly advertising something, it should it publicly available as a feature. Checking all your openvpn
config files did not reveal a single server that is using 256-bit encryption. Not even one. You can update some config files now, if you didn’t do it already, to show that a “handful of servers” are using 256-bit. Changing a conf on the server side or adding some new ones only takes a few minutes, tops.

What was also funny in the conversation I had with your support rep yesterday was that he said that log files do not necessarily reflect the reality. Right, blame it on those guys who developed OpenVPN and SSL.

BlowFish CBC is perfectly safe.

That’s what I said in my first post and we shouldn’t discuss this at all.
The problem here is not the encryption level you are using, but WHAT you are telling people that you are using.

P.S. out of so many possible explanations for the false claims, like “we are sorry, someone else made the website for us” being the easiest one or “hey but we are using AES-256 for the control channel”, it is quite obvious, for me at least, that you prefer to be in denial while “shamelessly” kicking the can down the road until you will eventually add AES-256 then come back here to provide proof.

follow-up support chat transcript, which I didn’t want to post until now but you kind of asked for it.

Good luck with your upgrade.

Yes, I did. I have the transcript of the follow-up conversation I had with the rep today but I’m still wondering whether it’s a good thing to make it public. They acknowledged (not directly though) that they do not provide 256-bit encryption and they are going to roll-up an update on all servers in a week.

The reason I don’t want to make the transcript full public is because it’s not in my intention to bash them or cause more harm than I probably caused already by exposing their false claims and making some people aware of how stuff works.
I will, however, provide the transcript privately via PM to those interested

While I agree with your choice of the Canadian UDP for speed sake, and agree that blowfish is fine, I believe that the OP’s point was regarding Torguard’s misleading claim of 256…giving the impression that all of their servers have that level of encryption, as well as their support persons insistance of this fact. The OP had a point, perhaps blown a little out of proportion, but a valid point none the less. Torguard is fibbing a little in their advertising, and even the tech support people dont know the difference.

Did you increase OpenVPN’s verbosity?

Actually you are correct, after trying to push the cipher settings it does fail and then default to blowfish-128-CBC on Openvpn 2.3.2.

So you cannot push cipher settings to the client. (although i could swear that you used to be able to do that with the client/server model)

Man, why so much hostility? (“kind of asked for it”???) What are you trying to accomplish? Do you realize the chat rep you keep posting logs from is from our general sales dept? He has no access to our network backend and limited knowledge of how things are configured. He was just doing his best job to answer your onslaught of questions which were better geared for our advanced techs. Posting his chats accomplishes nothing but showing that you were erroneously talking to the wrong person.

Not all our OpenVPN configs and VPN servers are made public as some servers are reserved for VIP clients and special requests. If you need more than a handful of aes servers or a dedicated solution - ask our advanced tech dept, not 1 chat rep in sales.

I will be sure our dev team adds to our product pages that the servers feature both BF and AES. Honestly, I appreciate you bringing this to our attention as it allows us to further improve our service offerings. However, I strongly disagree with your statement that we’re “Liars” as its simply incorrect. Your post comes off more as trolling rather than constructive criticism.

Could one landing page be made more clear? Yes. Could we possibly add more AES options? Yes.

We have public servers that are AES (stealth). If you were actually a TorGuard client you would know this. Maybe not as many connection options as you’d like - and we are changing that. It’s imperative for any well rounded VPN provider to offer many different connection options.

yeh i did, still no mention of encryption. although i’m not sure how much to increase it to any suggestions? i only increased it to 3.

Edit: nvm i found it paste the whole log and use the find tool. thats a load of my chest.

I was going to say, the only way you wouldn’t have encryption with OpenVPN is if it was manually disabled.

It has Blowfish-128-CBC by default with a 1024 bit handshake.