After Merlin 386.4 update, Unifi site-to-site openvpn client fails to connect to RT-AX88U openvpn server

wasserbilig

New Around Here
Hi, I have a RT-AX88U. After updating to Merlin 386.4, its openvpn server no longer connects to an Unifi site-to-site openvpn client.

Re-creating the openvpn server on AX88U does not help either.

(Downgrading to the previous 386.3_2 solves the problem, however.)

The error messages is : "Authenticate/Decrypt packet error: cipher final failed"

Is it due to 386.4's openvpn 2.5.5 no longer supports the SHA1 and Cipher 'AES-128-CBC'?

Unifi's site-to-site openvpn client GUI does not have any options on cipher. Any suggestions? Or we can only wait for Unifi's update?

Thanks in advance.
 

Attachments

  • new 3.txt
    2.4 KB · Views: 13

eibgrad

Part of the Furniture
AFAIK, OpenVPN 2.5.5 continues to support the SHA1 hash and AES-128-CBC cipher. You can examine the available ciphers w/ the following command.

Code:
openvpn --show-ciphers

You might try disabling the HMAC setting (which maps down to the auth directive) on both sides to see if that makes any difference. Or perhaps increasing it to something more substantial, like SHA256 (I assume the OpenVPN client let's you set this).

Can't imagine how the OpenVPN client wouldn't accept AES-128-CBC. But here too, nothing prevents you from eliminating it (and even AES-128-GCM) from the server side as an option, thus forcing it to use something stronger (e.g., AES-256-CBC or AES-256-GCM). Given you control both sides of the connection, and it's static key, there's really no reason to be negotiating the cipher anyway. You can just pick the one you want and specify it on each side (e.g., AES-256-CBC or AES-256-GCM). But if the client doesn't offer that option, I suppose you're forced to *search* for what will work.
 
Last edited:

eibgrad

Part of the Furniture
BTW, imo, the value of using HMAC (auth directive) for the home user is highly questionable anyway (if that proves to be the problem). The HMAC helps to mitigate DOS/DDOS attacks (and to a lesser extent, might help to obfuscate the use of a VPN), but if you're experiencing such problems, your lowly router is poorly equipped to handle it anyway. Better to report it to your ISP, who is better equipped to deal with it. Frankly, the use of a static key, which can control stale w/ time, is the bigger security concern. I'm NOT saying don't use HMAC as long as it works, but if it gives you problems, it's no big deal if you have to live without it.
 

wasserbilig

New Around Here
Tks for help. It does not seem to work. I have tried all the combinations but ended in vain. Now revert back to 384.3_2. openvpn 2.5 has changed lots. It seems we can only wait for Unifi to update to openvpn 2.5 as well.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top