diff --git a/actions/openvpn b/actions/openvpn
index 1d0f635b4..df2a1f3dc 100755
--- a/actions/openvpn
+++ b/actions/openvpn
@@ -49,12 +49,11 @@ verb 3
 
 tls-server
 tls-version-min 1.2
-tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
-cipher AES-256-GCM
+cipher AES-256-CBC
 script-security 2
 '''
 
-CLIENT_CONFIGURATION = '''
+CLIENT_CONFIGURATION_RSA = '''
 client
 remote {remote} 1194
 proto udp
@@ -62,7 +61,26 @@ proto udp6
 dev tun
 nobind
 remote-cert-tls server
-cipher AES-256-GCM
+cipher AES-256-CBC
+comp-lzo
+redirect-gateway
+verb 3
+<ca>
+{ca}</ca>
+<cert>
+{cert}</cert>
+<key>
+{key}</key>'''
+
+CLIENT_CONFIGURATION_ECC = '''
+client
+remote {remote} 1194
+proto udp
+proto udp6
+dev tun
+nobind
+remote-cert-tls server
+cipher AES-256-CBC
 redirect-gateway
 verb 3
 <ca>
@@ -74,7 +92,6 @@ verb 3
 
 CERTIFICATE_CONFIGURATION = {
     'EASYRSA_BATCH': '1',
-    'EASYRSA_ALGO': 'ec',
     'EASYRSA_DIGEST': 'sha512',
     'KEY_CONFIG': '/usr/share/easy-rsa/openssl-easyrsa.cnf',
     'KEY_DIR': KEYS_DIRECTORY,
@@ -90,7 +107,17 @@ CERTIFICATE_CONFIGURATION = {
     'EASYRSA_REQ_NAME': 'FreedomBox'
 }
 
-COMMON_ARGS = {'env': CERTIFICATE_CONFIGURATION, 'cwd': KEYS_DIRECTORY}
+CERTIFICATE_CONFIGURATION_RSA = {
+    'EASYRSA_KEY_SIZE': '4096',
+    **CERTIFICATE_CONFIGURATION
+}
+
+CERTIFICATE_CONFIGURATION_ECC = {
+    'EASYRSA_ALGO': 'ec',
+    **CERTIFICATE_CONFIGURATION
+}
+
+COMMON_ARGS = {'env': CERTIFICATE_CONFIGURATION_ECC, 'cwd': KEYS_DIRECTORY}
 
 
 def parse_arguments():
@@ -111,9 +138,19 @@ def parse_arguments():
     return parser.parse_args()
 
 
+def _is_using_ecc():
+    """Return whether the service is using ECC."""
+    if os.path.exists(SERVER_CONFIGURATION_PATH):
+        with open(SERVER_CONFIGURATION_PATH, 'r') as file_handle:
+            for line in file_handle:
+                if line.strip() == 'dh none':
+                    return True
+    return False
+
+
 def _is_setup():
     """Return whether setup is complete."""
-    return any(os.path.exists(fil) for fil in [DH_PARAMS, EC_PARAMS_DIR])
+    return _is_non_empty_file(DH_PARAMS) or os.path.exists(EC_PARAMS_DIR)
 
 
 def subcommand_is_setup(_):
@@ -215,13 +252,18 @@ def subcommand_get_profile(arguments):
         subprocess.check_call([
             '/usr/share/easy-rsa/easyrsa', 'build-client-full', username,
             'nopass'
-        ], **COMMON_ARGS)
+        ], env=CERTIFICATE_CONFIGURATION_ECC if _is_using_ecc() else
+                              CERTIFICATE_CONFIGURATION_RSA,
+                              cwd=KEYS_DIRECTORY)
 
     user_certificate_string = _read_file(user_certificate)
     user_key_string = _read_file(user_key)
     ca_string = _read_file(CA_CERTIFICATE_PATH)
 
-    profile = CLIENT_CONFIGURATION.format(ca=ca_string,
+    client_configuration = CLIENT_CONFIGURATION_ECC if _is_using_ecc(
+    ) else CLIENT_CONFIGURATION_RSA
+
+    profile = client_configuration.format(ca=ca_string,
                                           cert=user_certificate_string,
                                           key=user_key_string,
                                           remote=remote_server)