Menu
What's new
By:
Filters Better Search

AC68 - Merlin 378.56 - OPENVPN - ECDHE/ECDSA support

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

W

winter

New Around Here
Hi, I am trying to set up openvpn server on AC68 with Merlin 378.56 that uses tls-cipher TLS-ECDHE-ECDSA-catergory (such as TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256).

When I listed it in the server option, the server starts fine but give out following error when a client tries to connect to it.

TLS: Initial packet from [AF_INET] IPport sid=76bde0df 30689078
Oct 31 18:48:23 openvpn[1417]: IPort TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
Oct 31 18:48:23 openvpn[1417]: IPport TLS Error: TLS object -> incoming plaintext read error
Oct 31 18:48:23 openvpn[1417]: IPport TLS Error: TLS handshake failed


All CA, Server, and Client certs & keys are generated by easyrsa3 with EC and secp384r1.
vpn client is 2.3.8 on windows.

so far the highest tls-cipher I can pair up the server and client is DHE-RSA-AES256-GCM-SHA384 with RSA.

Is ECDHE/ECDSA supported so far? base on my reading, it should work for tls handshake part.
 
I'm not sure if it's still needed with 2.3.8, but try adding this to the server and client configuration:

Code: 
tls-version-min 1.0

This will allow it to use TLS 1.2.
 
tried tls-version-min 1.0 & tls-version-min 1.2 on both server & client, didn't make any difference.
actually, by able to use DHE-RSA-AES256-GCM-SHA384, it is already using version 1.2, as I read somewhere this cipher is part of the v1.2. Yes, server message also said v1.2 when the connection is made.

I tried verb 5 on the client side and there is no error message coming out. Also tried a different desktop with 2.3.8, there is no difference.

since I don't have a different server to try, can't tell if the client has a problem or the server has. so far only server side give error message as listed above.

just want to add, also tried EC with secp256k1 on all key and cert, same error message.

wondering if anyone has experience with EC in OpeVPN. All I am swapping here is just cert & key in server & client. with RSA, it all works, with EC, they are not.

searching on internet didn't give out anything useful. base on all the piece of information all over the place, EC supposes to work for tls handshake part, not the data channel......
 
Last edited:
You must log in or register to reply here.

Similar threads

D
ASUS RT-AX86U OpenVPN Server Error - Key Too Small
Replies
4
Views
203
Tech9
Tech9
C
Can someone help in why this OpenVPN config doesn't work with merlin?
Replies
7
Views
1K
ComputerSteve
C
N
Solved Unable to connect to VPN server with self-signed certificate
Replies
0
Views
407
nino_070
N
gallahermike
GT-BE98 Pro and OpenVPN problem
Replies
7
Views
618
gallahermike
gallahermike
P
OVPN Problem. Asus rt ax56u (latest merlin firmware
Replies
9
Views
1K
pattox
P
Similar threads
Thread starter Title Forum Replies Date
F Site To Site VPN between Debian VM and AsusWRT-Merlin router, no routes exists VPN 2
I Hardening Asus Merlin built in OpenVPN server VPN 1
A Port forwarding over proton VPN on Asus Merlin router. VPN 9
P Using Apple TV with NordVPN / Merlin VPN 23

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,050 (members: 27, guests: 1,023)
Top