What's new
By:

Does Unifi ever update their OpenVPN server software?

H

HarryH3

Regular Contributor
I setup a hand-me-down Ubiquiti Unifi UDR for testing. When I setup the OpenVPN server on it and downloaded the client, I was shocked to see that it still uses SHA1 for auth. :eek: I seem to recall this getting updated in Merlin a long time ago, by integrating later versions of OpenVPN Server into his configs. Does anyone attempt to keep Ubiquiti on their toes for stuff like this? IIRC, SHA1 was deprecated as incredibly easy to crack around 2011 or so. I'm also not sure that the cipher AES-256-CBC is supported on later versions of OpenVPN server, but that could just be my failing memory. o_O

I seriously doubt that my VPN use would be incredibly useful to anyone, but it just doesn't seem right that a 1-man code warrior can update his ASUS code so much better than a bazillion dollar corporation does! :) Do they only treat their lower end routers like this, or do their uber-expensive enterprise grade boxes have this same deficiency?

This is part of the client.opvn file created by the UDR:
auth-user-pass
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

auth SHA1
key-direction 1

The UDR has the latest released updates :
Unifi OS: 4.4.11
Network 10.0.162

So yeah, no excuses. :confused: Or are there?

Any thoughts? Thanks!
 
HarryH3 said:
SHA1 was deprecated as incredibly easy to crack
Click to expand...
As an HMAC, SHA1 is still fine. It's not used for security purposes, it's used for integrity purposes, so it's not an issue.
 
RMerlin said:
As an HMAC, SHA1 is still fine. It's not used for security purposes, it's used for integrity purposes, so it's not an issue.
Click to expand...
Good to know! I'm still amazed that you manage to integrate newer versions of third-party packages in your firmware than Ubiquiti does in theirs. :cool: Well done, sir!
 
I believe they use 2.5.x version currently. A new UniFi OS update is in Release Candidate stage, don't know what version will be there, if different. I can only guess software complexity, large ecosystem and 3rd party hardware compatibility requires certain level of stability and coordination. They would rather patch specific issues only than replace a package. I have UniFi gateways on residential networks, but also Netgate gateways on business networks. Netgate use similar approach. They did move to 2.6.x though for DCO.
 
Last edited:
You must log in or register to reply here.

Similar threads

D
ASUS RT-AX86U OpenVPN Server Error - Key Too Small
Replies
9
Views
4K
Pergola Fabio
P
R
OpenVPN not saving the custom configuration for client-connect on ASUS GT-AX6000
Replies
6
Views
2K
draharz
draharz
M
RT-AC87U & OpenVPN: Using insecure hash algorithm in CA Sig
Replies
11
Views
9K
LucG
L
S
OpenVPN TAP setup (for LAN gaming) on stock ASUS RT-AC66U B1
Replies
4
Views
2K
L&LD
L&LD
A
Devices connect to my openvpn server correctly but no traffic from server to client
Replies
6
Views
2K
ragtap
R
Similar threads
Thread starter Title Forum Replies Date
S Does a router always bond channels as listed in this table? General Wi-Fi Discussion 11
CntrlAltDel Shoddy performance from UniFi nanoHD APs General Wi-Fi Discussion 7
CntrlAltDel UniFi native RADIUS auth issue over WiFi General Wi-Fi Discussion 9
G Fiber on the way, new Unifi system planned General Wi-Fi Discussion 19

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 4,490 (members: 29, guests: 4,461)
Back
Top