RT-N66U I hosed OpenVPN CA, Cert, Key, and DH how to recover?

[nsomnac]

I've got an RT-N66U running the latest Asus distributed firmware.

I recently updated TunnelBlick on my Mac, of which other forums suggested to replace the DH params with a 1024bit prime. I did, but I think there is a bug in the certificate admin form, as it munged all the existing ca, cert, and key.

I tried replacing those again but from the existing client ovpn file I have, and now, while the server doesn't complain of errors, the client does.

Can anyone assist?

I'm happy to just regenerate my own CA, cert, and key - I'm just not sure how to do this. I kinda see how to do this from the easy-rsa tool, but not sure how to go from the dozen or so files to 3 fields in the firmware screens.

Thanks for any direction and pointers.

BTW: everything was working fine until I upgraded TunnelBlick and subsequently modified all the certs and dh params.


Jim

 

[RMerlin]

Make sure your DH is 1024-bit or higher grade.

 

[nsomnac]

RMerlin,

Thanks. I had done that on my Mac using:

openssl dhparam -out dh.pem 1024

Then I copied the contents of the dh.pem into the DH params field and saved.

That's the state I'm in now that doesn't work.


Jim

 

[nsomnac]

Also if it helps here's the client error log:

2015-07-30 00:10:16 ----- OpenVPN Start -----
OpenVPN core 3.0 ios arm64 64-bit
2015-07-30 00:10:16 UNUSED OPTIONS
6 [keepalive] [15] [60]
12 [resolv-retry] [infinite]
13 [nobind]

2015-07-30 00:10:16 LZO-ASYM init swap=0 asym=0
2015-07-30 00:10:16 EVENT: RESOLVE
2015-07-30 00:10:17 Contacting 75.128.28.228:1194 via UDP
2015-07-30 00:10:17 EVENT: WAIT
2015-07-30 00:10:17 SetTunnelSocket returned 1
2015-07-30 00:10:17 Connecting to arkitec.mooo.com:1194 (75.128.28.228) via UDPv4
2015-07-30 00:10:17 EVENT: CONNECTING
2015-07-30 00:10:17 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2015-07-30 00:10:17 Creds: Username/Password
2015-07-30 00:10:17 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1

2015-07-30 00:10:18 VERIFY OK: depth=1
cert. version : 3
serial number : E1:8D:77:11:5DE:03:44
issuer name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N66U, emailAddress=me@myhost.mydomain
subject name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N66U, emailAddress=me@myhost.mydomain
issued on : 2014-03-21 06:59:00
expires on : 2024-03-18 06:59:00
signed using : RSA with SHA1
RSA key size : 1024 bits
basic constraints : CA=true

2015-07-30 00:10:18 VERIFY OK: depth=0
cert. version : 3
serial number : 02
issuer name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N66U, emailAddress=me@myhost.mydomain
subject name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
issued on : 2014-03-21 06:59:03
expires on : 2024-03-18 06:59:03
signed using : RSA with SHA1
RSA key size : 1024 bits
basic constraints : CA=false
key usage : Digital Signature
ext key usage : TLS Web Client Authentication

2015-07-30 00:10:18 VERIFY FAIL -- bad ns-cert-type in leaf certificate
2015-07-30 00:10:18 Transport Error: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
2015-07-30 00:10:18 EVENT: CERT_VERIFY_FAIL PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed [ERR]
2015-07-30 00:10:18 EVENT: DISCONNECTED
2015-07-30 00:10:18 Raw stats on disconnect:
BYTES_IN : 2112
BYTES_OUT : 502
PACKETS_IN : 20
PACKETS_OUT : 20
SSL_ERROR : 1
CERT_VERIFY_FAIL : 1
2015-07-30 00:10:18 Performance stats on disconnect:
CPU usage (microseconds): 30344
Network bytes per CPU second: 86145
Tunnel bytes per CPU second: 0
2015-07-30 00:10:18 EVENT: DISCONNECT_PENDING
2015-07-30 00:10:18 ----- OpenVPN Stop -----



Jim

 

[RMerlin]

That error comes up in your log:

2015-07-30 00:10:18 VERIFY FAIL -- bad ns-cert-type in leaf certificate

A Google Search for that specific error message returned this forum post:

http://www.snbforums.com/threads/cannot-connect-openvpn-on-asuswrt-merlin.22975/

 

[nsomnac]

That error comes up in your log:

2015-07-30 00:10:18 VERIFY FAIL -- bad ns-cert-type in leaf certificate

A Google Search for that specific error message returned this forum post:

http://www.snbforums.com/threads/cannot-connect-openvpn-on-asuswrt-merlin.22975/

Thanks, that makes a bit of sense. I tried googling myself and never found that thread.

So my takeaway is that I've lost my server cert and key, and need to regenerate one. So I did that using the instructions here: https://openvpn.net/index.php/open-source/documentation/howto.html#pki and and replaced the ca.crt, server.crt, server.key, dh.pem - however I noted this doesn't add the ca.key - so not sure how client certs would get signed.

I was able to telnet into the router and inspect the filesystem. In /tmp/etc/openvpn/server1/, I found all the config files (including the original ca.key), but I noticed that that whole directory gets deleted upon a form post from the page that saves the CA, Server Cert/Key, and DH. Since this directory gets axed, I've not been able to locate the original ca.key elsewhere as I'm not sure if I just replace the ca.key here with my newly generated one, if the the client certs will get signed correctly. Even then, not sure what the passphrase would be for the default cert unless it has none. So I guess the next question is where is the right place for the ca.key to live?

It's quite irritating that ASUS ships with this feature and provides zero documentation on what the UI does.

 

[RMerlin]

So I guess the next question is where is the right place for the ca.key to live?

It's stored in nvram.

nvram get vpn_crt_server1_ca

Note that starting with firmwares 3.0.0.4.378_6000 (currently in beta on newer router models), those will be moved to /jffs/openvpn/ .

You shouldn't manually edit nvram however, it's all available on the webui under Advanced Settings, on the "Edit keys and certificates" link.

 

[nsomnac]

It's stored in nvram.

nvram get vpn_crt_server1_ca

Note that starting with firmwares 3.0.0.4.378_6000 (currently in beta on newer router models), those will be moved to /jffs/openvpn/ .

You shouldn't manually edit nvram however, it's all available on the webui under Advanced Settings, on the "Edit keys and certificates" link.

Okay, however there's no field for the CA key. Only for the Server Certificate, Server Key, and DH params.

 

[RMerlin]

Okay, however there's no field for the CA key. Only for the Server Certificate, Server Key, and DH params.
View attachment 4219

The CA key is not used by OpenVPN. It's only used in generating the CA, and signing server/client certificates. OpenVPN only uses the CA certificate.

When using self-generated key/certs, you should in fact NOT put the CA key on the router itself, as it's a security risk. Anyone who gets ahold of the CA key can generate his own valid client certificates.

 

[nsomnac]

Okay. I thought the CA was also used for the client certs as well.

So then will I have to generate my own client certs as well? Or will it use the server key I provide to sign? Is there a way to supply the passphrase?

I just liked having the router store all that.


Jim