Skip to main content
🎀 Speaking at KubeCon EU 2026 Lessons Learned Orchestrating Multi-Tenant GPUs on OpenShift AI View Session
🎀 Speaking at Red Hat Summit 2026 GPUs take flight: Safety-first multi-tenant Platform Engineering with NVIDIA and OpenShift AI Learn More
DevOps

CRA Requirements for VPN Software (EN 304 620)

Luca Berton β€’ β€’ 1 min read
#cra#vpn#security#etsi#compliance

πŸ”’ VPN Software Under the CRA (EN 304 620)

VPN software is classified as Important Products Class I. Given the sensitive nature of VPN traffic, the CRA imposes specific security requirements.

Key Requirements

Encryption Standards

  • Minimum TLS 1.3 for control plane
  • AES-256-GCM or ChaCha20-Poly1305 for data plane
  • Forward secrecy mandatory (ECDHE key exchange)
  • No fallback to weak ciphers

Authentication

  • Certificate-based authentication support
  • Multi-factor authentication capability
  • No default credentials
  • Secure credential storage

Data Protection

  • No logging of traffic content by default
  • Minimal metadata collection
  • DNS leak prevention β€” force DNS through VPN tunnel
  • Kill switch β€” block traffic if VPN disconnects

Update Mechanism

  • Signed updates with cryptographic verification
  • Auto-update capability
  • Rollback protection

For Enterprise VPN Deployments

If your organization deploys VPN software:

  • The VPN vendor is the manufacturer (CRA applies to them)
  • You should verify your vendor’s CRA compliance roadmap
  • Request SBOMs and vulnerability handling documentation
  • Include CRA compliance in procurement criteria

SBOM Requirements

VPN software SBOMs must include:

  • Cryptographic libraries (OpenSSL, BoringSSL, WireGuard kernel module)
  • Network stack components
  • Authentication modules
  • UI frameworks
  • All transitive dependencies

Developing or deploying VPN software in the EU? I help organizations prepare for EN 304 620 compliance. Get in touch.

Share:

πŸ“Œ Need expert help with this topic?

☁️

Cloud Infrastructure Design

Build resilient, cost-effective cloud environments with expert architecture consulting.

🐍

Ansible & Python Training

Level up your automation skills with expert-led Ansible and Python training.

Book a free consultation β†’

LB

Luca Berton

AI & Cloud Advisor with 18+ years experience. Author of 8 technical books, creator of Ansible Pilot, and instructor at CopyPasteLearn Academy. Speaker at KubeCon EU & Red Hat Summit 2026.

LinkedIn Bluesky YouTube Contact β†’
← Back to Blog

Related Articles

DevOps

Fix: OpenClaw in Docker β€” Connection Refused, Port Mapping, and Network Issues

Running OpenClaw in Docker and getting connection refused? Common issues with port mapping, bind addresses, DNS resolution, and WebSocket upgrades explained with fixes.

DevOps

Fix: OpenClaw Gateway non-loopback control UI requires gateway.controlui.allowedorigins

Getting the allowedorigins error when starting your OpenClaw gateway? Here is exactly how to fix it, with step-by-step configuration for local network, VPS, and reverse proxy setups.

DevOps

Fix: OpenClaw Model API Key Errors β€” 401 Unauthorized, Invalid Key, and Rate Limits

Troubleshoot OpenClaw API key issues across OpenAI, Anthropic, and GitHub Copilot. Covers 401 errors, invalid key formats, rate limits, and model fallback configuration.

Luca Berton Ansible Pilot Ansible by Example Open Empower K8s Recipes Terraform Pilot CopyPasteLearn ProteinLens TechMeOut