What's new

Default OpenVPN server no longer works with OpenSSL 3

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

automaton

Occasional Visitor
I have an RT-AC68U running Merlin 386.3_2.

It's running OpenVPN with basic setup. All I did was enable it and added a user.

This has always worked until now with some latest OpenVPN clients it won't connect with:

Code:
9:14 a.m. library versions: OpenSSL 3.0.0 7 sep 2021, LZO 2.10
9:14 a.m. OpenSSL: error:0A00018E:SSL routines::ca md too weak
9:14 a.m. OpenSSL reported a certificate with a weak hash, please the in app FAQ about weak hashes

Any idea why the default OpenVPN config no longer works?
 
Last edited:
I have an RT-AC68U running Merlin 386.3_2.

It's running OpenVPN with basic setup. All I did was enable it and added a user.

This has always worked until now with some latest OpenVPN clients it won't connect with:

9:14 a.m. library versions: OpenSSL 3.0.0 7 sep 2021, LZO 2.10

9:14 a.m. OpenSSL: error:0A00018E:SSL routines::ca md too weak

9:14 a.m. OpenSSL reported a certificate with a weak hash, please the in app FAQ about weak hashes

Any idea why the default OpenVPN config no longer works?
You use to weak hash, must be sha256
 
Hi,

I didn't do anything other than turn on OpenVPN in Merlin. So I don't know how to configure that, or why I need to do more than just enable VPN in Merlin?
You can make your keys yourself or wait for next RMerlin update. Someone have publish a temporary workaround.
 
Have the same issue with the OpenVPN app as well, posted over in their Git and was pointed to this workaround in the app that is a temp work around. If anyone knows how we can generate the SHA256 keys in the router do let me know, otherwise I'll be using this workaround for now.

In the OpenVPN Android app, select to edit the profile. select Advanced, scroll down until you see Enable Custom Options and tick the box if it is not already ticked. Now click on Custom options and add the following line

--tls-cipher DEFAULT:mad:SECLEVEL=0

Click OK

The angry face emoji in there is supposed to be a : and @
 
Have the same issue with the OpenVPN app as well, posted over in their Git and was pointed to this workaround in the app that is a temp work around. If anyone knows how we can generate the SHA256 keys in the router do let me know, otherwise I'll be using this workaround for now.
The angry face emoji in there is supposed to be a : and @
Thank you, this worked!

It would be nice if the router could generate whatever is needed automatically since I'm not knowledgable enough nor have time to try and figure this stuff out myself atm (kids..). Hopefully it gets fixed soon.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top