RT-AC87U & OpenVPN: Using insecure hash algorithm in CA Sig

[Marty]

Intro: I know now that this is not a new issue but I just ran into it and I don't think ASUS is going to resolve it so thought I post here in case someone found a solution. I know the work around is just to use a lower security level in the OpenVPN phone app, I'll default to that for now if I have to but would rather find a better solution until I can replace my router.

Issue: I have just run across this after updating the OpenVPN app on my phone to 3.4.1. I have spent time discussing this with OpenVPN, who were very helpful and ASUS who were not helpful. I have the ASUS RT-AC87U (yeah its old) and am running the latest firmware (yeah, that's old too After realizing that the 3.4.1 version of the OpenVPN app's default security level was causing the "You are using insecure hash algorithm in CA signature." error, I went into my router and changed the Encryption cipher to AES 256 CBC in combination with using SHA256 for the HMAC Authentication and then created a new client.opvn file. However that did not work, got the same error.

The OpenVPN tech looked at my log files from the phone and found the following.. .. "[Jan 17, 2024, 13:38:47] EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future"

The OpenVPN tech said... "In the case of your server (my router), the encryption cipher and the hash are using secure options, but the signature in the certificate is using a weak one." This matches what the error msg says on my phone. My router does not offer me the "Renew Certificate" button like some ASUS router screens I've seen on the internet while searching for a solution, maybe that due to me running ASUS firmware and not Merlin, I don’t know. It doesn't seem to matter which ciper or HMAC authentication I use, when applying my changes and then clicking Export, the file is signed with SHA1 and the new OpenVPN app rejects it. Sure I can use the lowest security option in the phone app but I would rather solve this issue instead and I don't have time right now to look for a new router and set it up as I'm about to go on travel and wanted to use the VPN on my phone. - ugh.

Does anyone know a way to get my router to sign with a more secure algorithm, like SHA254 or?

 

[thaper0007]

Hi, Did you find the solution ? I am having the same issue.

 

[Marty]

Hi, Did you find the solution ? I am having the same issue.

I worked with both ASUS and OpenVPN. ASUS said my router was too old and to buy a new one! OpenVPN said that as time goes on, they continue to upgrade their security protocols. So, all I could do was to downgrade the security option in OpenVPN on my phone and laptop, see attached screenshot. This worked and will suffice till I do actually buy a new router

 

[RMerlin]

OpenVPN Connect is quite picky. I also had to set it to "Insecure" mode to connect to a new QNAP NAS that was configured less than a year ago for a customer.

 

[Marty]

I'm ok with that, I'd rather error on the safer side. Choosing the Insecure option doesn't mean it's a giant risk, it's just the least secure of all their protocols. Their latest client version is pretty recent, that is when they upped their game and my old connection no longer worked. I already knew my router was old and in a way am glad this happened because it will force me to finally change and upgrade my router which I've wanted to do for a while now. I was just being lazy and didn't want to go in search of new routers and rebuild my network.
I am considering a Ubiquity Edge router and a couple of access points this time instead of an all-in-one WiFi router. Any suggestions on that?

 

[Tech9]

I am considering a Ubiquity Edge router and a couple of access points this time instead of an all-in-one WiFi router. Any suggestions on that?

Dream Router is better. Comes with CloudKey and has 2x PoE LAN ports. Just add 2x APs for a complete 3x APs UniFi system.

Dream Router - Ubiquiti Store

Desktop UniFi Cloud Gateway with an integrated WiFi 6 access point and PoE switch.

store.ui.com

Access Point U6 Pro - Ubiquiti Store

Ceiling-mounted WiFi 6 AP with 6 spatial streams designed for large offices.

store.ui.com

Good for up to 700Mbps Internet line when built-in IPS/IDS is used. Some users say with newer firmware releases can do more.

 

[Chinquapin]

Marty,

Thanks for posting, I just began to configure an OpenVPN server on my Asus RT-AC56U (also old). Like you, I found that only by setting the "Insecure" mode could I connect from my Android OpenVPN client. What perplexes me is WHY my certs are being seen as insecure. I chose the HIGHEST levels of encryption available to the router interface. Can I possibly assume that (in spite of the warnings about "Insecure") that the encryption strengths and protocols selected when creating the .ovpn file are in fact actually the ones in use when the "insecure" connection is established?

I have a rather limited scope for using a VPN. Specifically, I need to connect a single application through a specified internal IP address for 2-3 minutes at a time several times a day. This is to allow synchronization of a complicated but very small calendar database between several mobile (Android) devices and the server database. There is no other use intended. I can restrict connections on the OoenVPN server side to that small number of devices.

The risk seems lower than my current sync approach, which requires a Dropbox intermediary. If the risk IS actually as low as I hope w OpenVPN, it would be more convenient than the thrash of getting a new router (e.g., RT-AX86U) w more up-to-date OpenVPN Server.

Thoughts? Thanks.