After Merlin 386.4 update, Unifi site-to-site openvpn client fails to connect to RT-AX88U openvpn server

wasserbilig

New Around Here
Hi, I have a RT-AX88U. After updating to Merlin 386.4, its openvpn server no longer connects to an Unifi site-to-site openvpn client.

Re-creating the openvpn server on AX88U does not help either.

(Downgrading to the previous 386.3_2 solves the problem, however.)

The error messages is : "Authenticate/Decrypt packet error: cipher final failed"

Is it due to 386.4's openvpn 2.5.5 no longer supports the SHA1 and Cipher 'AES-128-CBC'?

Unifi's site-to-site openvpn client GUI does not have any options on cipher. Any suggestions? Or we can only wait for Unifi's update?

Thanks in advance.
 

Attachments

  • new 3.txt
    2.4 KB · Views: 77

eibgrad

Part of the Furniture
AFAIK, OpenVPN 2.5.5 continues to support the SHA1 hash and AES-128-CBC cipher. You can examine the available ciphers w/ the following command.

Code:
openvpn --show-ciphers

You might try disabling the HMAC setting (which maps down to the auth directive) on both sides to see if that makes any difference. Or perhaps increasing it to something more substantial, like SHA256 (I assume the OpenVPN client let's you set this).

Can't imagine how the OpenVPN client wouldn't accept AES-128-CBC. But here too, nothing prevents you from eliminating it (and even AES-128-GCM) from the server side as an option, thus forcing it to use something stronger (e.g., AES-256-CBC or AES-256-GCM). Given you control both sides of the connection, and it's static key, there's really no reason to be negotiating the cipher anyway. You can just pick the one you want and specify it on each side (e.g., AES-256-CBC or AES-256-GCM). But if the client doesn't offer that option, I suppose you're forced to *search* for what will work.
 
Last edited:

eibgrad

Part of the Furniture
BTW, imo, the value of using HMAC (auth directive) for the home user is highly questionable anyway (if that proves to be the problem). The HMAC helps to mitigate DOS/DDOS attacks (and to a lesser extent, might help to obfuscate the use of a VPN), but if you're experiencing such problems, your lowly router is poorly equipped to handle it anyway. Better to report it to your ISP, who is better equipped to deal with it. Frankly, the use of a static key, which can control stale w/ time, is the bigger security concern. I'm NOT saying don't use HMAC as long as it works, but if it gives you problems, it's no big deal if you have to live without it.
 

wasserbilig

New Around Here
Tks for help. It does not seem to work. I have tried all the combinations but ended in vain. Now revert back to 384.3_2. openvpn 2.5 has changed lots. It seems we can only wait for Unifi to update to openvpn 2.5 as well.
 

sinbrkatetete

New Around Here
Tks for help. It does not seem to work. I have tried all the combinations but ended in vain. Now revert back to 384.3_2. openvpn 2.5 has changed lots. It seems we can only wait for Unifi to update to openvpn 2.5 as well.
A bit late, maybe, but just saw your post today. If you're still interested, setting the HMAC to SHA-1 and adding an option --data-ciphers-fallback BF-CBC in the "custom configuration" did it for me just today on RT-AC88U on 386.4 when I encountered the same problem (USG Pro on the other side with SITE-TO-SITE OPENVPN set in GUI).

BTW, I have gotten to the part where my router (USG) is able to ping clients on the ASUS' LAN, but I'm unable to ping ASUS LAN clients from clients on different VLANs on the USG's LAN or ping from ASUS itself any device on any USG's (V)LAN. I'm sure it's got partly to do with routes and partly with firewall.... if you've got the time could you help? Thanks in advance.
 

wasserbilig

New Around Here
A bit late, maybe, but just saw your post today. If you're still interested, setting the HMAC to SHA-1 and adding an option --data-ciphers-fallback BF-CBC in the "custom configuration" did it for me just today on RT-AC88U on 386.4 when I encountered the same problem (USG Pro on the other side with SITE-TO-SITE OPENVPN set in GUI).

BTW, I have gotten to the part where my router (USG) is able to ping clients on the ASUS' LAN, but I'm unable to ping ASUS LAN clients from clients on different VLANs on the USG's LAN or ping from ASUS itself any device on any USG's (V)LAN. I'm sure it's got partly to do with routes and partly with firewall.... if you've got the time could you help? Thanks in advance.
Thanks for your help. I have tried adding "--data-ciphers-fallback BF-CBC". It worked, both in 386.4 and 386.5 for RT-AX88U. a factory reset may be needed on asus.

As for USG client to ping ASUS LAN, please try to add following to your ASUS openvpn server's "custom configuation"

push "route 192.168.18.0 255.255.255.0"
route 192.168.20.0 255.255.252.0
route 192.168.24.0 255.255.254.0
--data-ciphers-fallback BF-CBC

where 18 is my asus LAN, 20-25 are my unifi LANs. Please modify it according to your toppology.

I have now a UDM SE, a USG and a RT-AX88U, I have set up 2 instances of openvpn server on asus to server udm and usg respectively. all working.

UDM SE and USG are also linked with their own unifi 'site-to-site openvpn'.

Hope this helps.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top