new to openVPN inbound using RT-N66U

[Dan-H]

Hi, I'm new here.

I am trying to get openVPN server working to allow inbound client connections to my asus RT-N66U using tunnelblick, but I"m getting errors. (at the very bottom)

I've seen several possible reasons why this isn't working and my best guess is my openvpn client tunnelblick v3.5.3 (build4270.4371) is enforcing longer diffie helman keys than the router has.

I found this post: https://groups.google.com/forum/#!topic/tunnelblick-discuss/V657umITS5w

Which led me to this page: https://openvpn.net/index.php/open-source/documentation/howto.html#pki

Am I chasing the right problem? what are my options?
I think they are
1) Update the router software
2) downgrade the openVPN client
3) cook up a key and install it on the router.

#1 is too risky for me as it is my only working router.
#2 is an option, but, if the shorter key is a credible security risk I'd like to avoid it
#3 sounds like the best option, but I'm somehow not able to create one.

any ideas?


details:
ASUS RT-N66U fw version: 3.0.0.4.376_3861
Mac OSX 10.10.5
tunnelblick v3.5.3 (build4270.4371)

2015-09-17 20:46:41 TLS Error: TLS object -> incoming plaintext read error
2015-09-17 20:46:41 TLS Error: TLS handshake failed
2015-09-17 20:46:41 SIGUSR1[soft,tls-error] received, process restarting
2015-09-17 20:46:41 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2015-09-17 20:46:41 UDPv4 link local: [undef]
2015-09-17 20:46:41 UDPv4 link remote: [AF_INET]50.173.162.107:1194
2015-09-17 20:46:42 TLS_ERROR: BIO read tls_read_plaintext error: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small

I also have a windows 81 Pro system and an ubuntu 14.0x system if there is an easier key-gen for those operating systems.

tnx in advance.

Dan

 

[Dan-H]

maybe this is it. It is grinding away...

Asus RT-87U (Merlin) OpenVPN Server fails - Diffie Helmann (DH) Key too small

 

[RMerlin]

maybe this is it. It is grinding away...

Asus RT-87U (Merlin) OpenVPN Server fails - Diffie Helmann (DH) Key too small

Yes, this is what the last line of the log you posted indicates.

This is your solution: http://www.snbforums.com/threads/as...e-helmann-dh-key-too-small.25326/#post-191211

 

[Dan-H]

Yes, this is what the last line of the log you posted indicates.

This is your solution: http://www.snbforums.com/threads/as...e-helmann-dh-key-too-small.25326/#post-191211

Thanks for the link. Unfortunately I didn't work. it. The key referenced in the post throws this error. The key I generated last night throws the same error.

Diffle Hellman parameters field error!
Please check the Keys and Certification contents on the Advanced Settings page.


I looked on Asus website http://www.asus.com/us/Networking/RTN66U/HelpDesk_Download/
There is a Beta version that lists a fix, but it also lists "For Japan Only"

ASUS RT-N66U Firmware version 3.0.0.4.378.7410
- Release Note -
[For Japan Only]
Security fixes
- Fixed CSRF and XSS vulnerability when router is in default status (user does not set the router yet)

New features
- Added client list view button on network map and help administrator easily monitor all client connection status.
- Added the question feedback in Administration -> Feedback
- Added new DDNS provider www.oray.com

Bug fixes
- Fixed GUI related issues
- Fixed login issue when router’s IP is 10.x.x.x
- Fixed parental control-> time scheduling related issue.
- Fixed network tool related issues.
- Improved media server response time when new file added.
- Fixed network map UI issue when selected French.
- Added stateful server in IPv6
- Fixed the saving issue in OpenVPN server -> content modification of keys & certification.

Is this a risky update?

This is my only working router at the moment, and the VPN is not that critical and can wait.

 

[RMerlin]

That's not the same error.

The first error stated you had a valid DH but it was too small.

The new error is because the webui is bugged, and doesn't properly encode your new DH.

If you are running the stock firmware, some of their releases have a bugged interface where they incorrectly handle CR/LF line terminations, resulting in a corrupted certificate.

Upgrading is safe, you can ignore that "Japan only" line. I suspect this was for some legal reason.

 

[Dan-H]

That's not the same error.

The first error stated you had a valid DH but it was too small.

Correct. The first error was from the tunnelblick console on my macbook. the second error is from the router webui.

The new error is because the webui is bugged, and doesn't properly encode your new DH.

If you are running the stock firmware, some of their releases have a bugged interface where they incorrectly handle CR/LF line terminations, resulting in a corrupted certificate.

Upgrading is safe, you can ignore that "Japan only" line. I suspect this was for some legal reason.

Thanks. I'll give it the latest beta version a try.

ASUS tech support emailed me back to me today and advised me that Beta Version 3.0.0.4.378.4850 would solve my problem. I read somewhere on the forum that the 4850 build had more fixed in it than the release notes listed.

I'll probably try the 378.7410 version first.

 

[Dan-H]

Upgrading is safe, you can ignore that "Japan only" line.

Just to clarify my first post about my "fear" of upgrading.

I'm not opposed to minor updates of the stock firmware, but without a backup router I'm not willing to try one of the alternate releases, just in case the change goes badly.

My old backup,a lnksys wrt54g has some hardware issues and will barely connect to the WAN. I reset it to factory, updated it cleaned it and even spoke nicely to it but it won't stay running for very long.

Thanks again for your suggestions.

This is a great forum / website with a wealth of knowledge.