Asus RT-AC87U VPN cipher AES-256-GCM

[gianpaoloracca]

Hi everybody. I have two asus router, an AC66 and AC87. The first has merlin-wrt on it, while the latter dooesn't.
I have some trouble with my VPN server on the AC87 with the stock asus firmware.
Since a couple of weeks every client began complaining about the insecure cipher. I now have AES-256-CBC, but I read on some openvpn document I shoud use AES-256-GCM which doesn't seem available on the stock firmware
If I install merlin-wrt firmware on the AC87, will I get different ciphers? I looked into my other router and it seems that it has AES-256-GCM.
Another question since it's been years since I changed firmware: if I switch to merlin-wrt will all my settings be gone?

Thanks a lot,

Gianpaolo

 

[ColinTaylor]

The RT-AC66U (the original version not the _B1 version) and RT-AC87U are no longer supported by Merlin.

About | Asuswrt-Merlin

www.asuswrt-merlin.net

 

[gianpaoloracca]

The RT-AC66U (the original version not the _B1 version) and RT-AC87U are no longer supported by Merlin.

About | Asuswrt-Merlin

www.asuswrt-merlin.net

I saw on the main page... But I would like to know if the latest available firmware for RT-AC87U has AES-256-GCM cipher in it.
Thanks,

Gianpaolo

 

[ColinTaylor]

I saw on the main page... But I would like to know if the latest available firmware for RT-AC87U has AES-256-GCM cipher in it.
Thanks,

Gianpaolo

Looking at the old source code I believe it's:

AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC

 

[Martinski]

... But I would like to know if the latest available firmware for RT-AC87U has AES-256-GCM cipher in it.

You can check that information by executing the following set of commands in an SSH terminal window:

openvpn --show-ciphers | grep ".*-GCM" ; echo ; openvpn --show-tls | grep ".*-GCM"

If you get no output at all, then the "AES-256-GCM" cipher is not available in the current version of OpenVPN (after installing the F/W you want to use, of course).

 

[gianpaoloracca]

Thanks a lot to you both! I will try.

 

[munion]

I've the same problem, my RT_AC87U firmware is "Firmware Version:3.0.0.4.382_52545", I think is the lastest.

Running what Martinsky wrote:

openvpn --show-ciphers | grep ".*-GCM" ; echo ; openvpn --show-tls | grep ".*-GCM"

AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM (256 bit key, 128 bit block, TLS client/server mode only)

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

As you can see it seems to be ok but this AES doesn't be present in the select box:

Any idea?

Best regars,


munion

 

[RMerlin]

Stock firmware only added GCM support fairly recently - long after the RT-AC87U was moved to the end of life status. Nothing you can do about that.

Asuswrt-Merlin added legacy support for GCM ciphers with 384.6. Before that it was available through NCP, which requires both ends of the tunnel to support NCP, which was added with OpenVPN 2.4.

 

[RMerlin]

Running what Martinsky wrote:

That indicates that OpenSSL and OpenVPN support the cipher, however you also need the firmware itself to support it - your firmware doesn't.

 

[munion]

Thank you very much, the only way is replacing my RT-AC87U.

Now I'm running OpenVPN in both my RT-AC87U and 4G-AC86U, I'll try to make vpn with raspberry, I've one on each side of my networks.

Best regards

 

[elorimer]

You could install Merlin 384.13_10 on the 87U.