The OpenVPN protocol has proven itself secure for over 20 years. It is available in our Windows, Linux, Android, and iOS/iPadOS apps, using the following encryption settings:
The control channel
The control channel establishes a TLS connection between the VPN client and the VPN server.
The whole process uses a symmetric key cipher, but the actual key exchange requires an asymmetric encryption system where a public key is used to encrypt the data, which can only be decrypted using a private key.
Proton VPN uses AES-256 for its symmetric cipher, RSA-4096 to ensure a secure key exchange, and HMAC SHA-384 hash authentication to verify the TLS certificates. The encryption suite we use also includes a Diffie-Hellman key exchange to provide forward secrecy.
The data channel
Once a TLS connection is established, OpenVPN transfers your actual data over the data channel. This is encrypted with a symmetric cipher (Proton VPN uses AES-256) and verified with a hash function (HMAC SHA-384 in our case).