Default OpenVPN server no longer works with OpenSSL 3

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

automaton

Occasional Visitor
I have an RT-AC68U running Merlin 386.3_2.

It's running OpenVPN with basic setup. All I did was enable it and added a user.

This has always worked until now with some latest OpenVPN clients it won't connect with:

Code:
9:14 a.m. library versions: OpenSSL 3.0.0 7 sep 2021, LZO 2.10
9:14 a.m. OpenSSL: error:0A00018E:SSL routines::ca md too weak
9:14 a.m. OpenSSL reported a certificate with a weak hash, please the in app FAQ about weak hashes

Any idea why the default OpenVPN config no longer works?
 
Last edited:

octopus

Very Senior Member
I have an RT-AC68U running Merlin 386.3_2.

It's running OpenVPN with basic setup. All I did was enable it and added a user.

This has always worked until now with some latest OpenVPN clients it won't connect with:

9:14 a.m. library versions: OpenSSL 3.0.0 7 sep 2021, LZO 2.10

9:14 a.m. OpenSSL: error:0A00018E:SSL routines::ca md too weak

9:14 a.m. OpenSSL reported a certificate with a weak hash, please the in app FAQ about weak hashes

Any idea why the default OpenVPN config no longer works?
You use to weak hash, must be sha256
 

octopus

Very Senior Member
Hi,

I didn't do anything other than turn on OpenVPN in Merlin. So I don't know how to configure that, or why I need to do more than just enable VPN in Merlin?
You can make your keys yourself or wait for next RMerlin update. Someone have publish a temporary workaround.
 

wingman1487

New Around Here
Have the same issue with the OpenVPN app as well, posted over in their Git and was pointed to this workaround in the app that is a temp work around. If anyone knows how we can generate the SHA256 keys in the router do let me know, otherwise I'll be using this workaround for now.

In the OpenVPN Android app, select to edit the profile. select Advanced, scroll down until you see Enable Custom Options and tick the box if it is not already ticked. Now click on Custom options and add the following line

--tls-cipher DEFAULT:mad:SECLEVEL=0

Click OK

The angry face emoji in there is supposed to be a : and @
 

automaton

Occasional Visitor
Have the same issue with the OpenVPN app as well, posted over in their Git and was pointed to this workaround in the app that is a temp work around. If anyone knows how we can generate the SHA256 keys in the router do let me know, otherwise I'll be using this workaround for now.
The angry face emoji in there is supposed to be a : and @
Thank you, this worked!

It would be nice if the router could generate whatever is needed automatically since I'm not knowledgable enough nor have time to try and figure this stuff out myself atm (kids..). Hopefully it gets fixed soon.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top