A few people have asked which of our OpenVPN configs they should be using, or which one is the most secure? We'll try to answer that here without getting too technical.
We offer four types of configs: RSA, ECC, Ed25519, and Ed448.
We also offer two different protocols for connecting: UDP and T*****.
We'll start with the two protocol options, UDP or T*****.
Some of our clients believe that they should be using the T***** configs because T***** is more reliable than UDP. Normally this is true, but in the case of OpenVPN it's not. When you're connected to a UDP OpenVPN server, your traffic gets wrapped into the VPN tunnel created by OpenVPN. Most likely, the traffic you're generating is already T***** (browsing websites, checking email, etc.) so any integrity checks or retransmissions that need to be done will be handled by your operating system at the T***** level.
OpenVPN also has it's own layer of redundancy checks against VPN traffic that'll ensure the traffic gets to where it needs to go, regardless of UDP's lack of integrity checks.
https://openvpn.net/faq/what-is-t*****-meltdown/ and https://web.archive.org/web/20160314150811/https://sites.inka.de/~W1011/devel/t*****-t*****.html do a good job of explaining in why T***** OpenVPN wouldn't be a good idea. The second link talks about PPP over T*****, but the same can be applied to OpenVPN over T*****.
So you should be using our UDP configs. The only reason we also offer T***** is for people who are behind such restrictive firewalls that UDP OpenVPN is blocked.
As for the four types of configs and their security level, that depends.
RSA configs are mainly provided to support clients who are still using ancient versions of OpenVPN, ones that don't support ECC. They use 8192-bit RSA. If you've got OpenVPN 2.4.x or newer, then you shouldn't use the RSA configs. These configs will work with UDP or T***** ports 1 through 29999, excluding ports 5061 and 5062.
The default ECC configs use the elliptic curve se*****521r1, which is 521-bit, or according to https://web.archive.org/web/20090207194412/https://www.nsa.gov/business/programs/elliptic_curve.shtml roughly the same as 15360-bit RSA, or a security level (symmetric key size) of 256-bits. So the default ECC configs would provide the strongest cryptography out of the four. However, se*****521r1 is an NIST curve. There was an incident where the NIST allowed the NSA to backdoor the Dual_EC_DRBG algorithm. Most cryptographers agree that se*****521r1 is secure, but some people believe that if the NIST was willing to let the NSA do that once, it's possible that they'd do it again in some other fashion.
These configs will work with UDP or T***** ports 1 through 29999, excluding ports 5061 and 5062.
The Ed25519 configs use the Ed25519 curve, which is not an NIST curve. So the NSA's ability to influence aspects of it are highly unlikely. According to https://tools.ietf.org/rfc/rfc8032.txt, Ed25519 operates at the 128-bit security level, or roughly 3072-bit RSA.
These configs will only work with UDP or T***** port 5061.
The Ed448 configs use the Ed448 curve, which is also not an NIST curve. The same rfc8032.txt document above lists Ed448 as operating at the 224-bit security level.
These configs will only work with UDP or T***** port 5062.
To summarize, if you don't think the NSA has influenced se*****521r1, the default ECC configs would be the strongest option.
If that is a concern for you, Ed448 would be the next best option.
If you care more about speeds than security, Ed25519.
If you're using some ancient version of OpenVPN, you're stuck with RSA.
Keep in mind, that all 4 of those options are considered to be very secure, and will most likely remain very secure for the foreseeable future.
Also that you need at least OpenSSL 1.1.1 and OpenVPN 2.4.3 to use the Ed25519 or Ed448 configs.