Does Unifi ever update their OpenVPN server software?

[HarryH3]

I setup a hand-me-down Ubiquiti Unifi UDR for testing. When I setup the OpenVPN server on it and downloaded the client, I was shocked to see that it still uses SHA1 for auth. I seem to recall this getting updated in Merlin a long time ago, by integrating later versions of OpenVPN Server into his configs. Does anyone attempt to keep Ubiquiti on their toes for stuff like this? IIRC, SHA1 was deprecated as incredibly easy to crack around 2011 or so. I'm also not sure that the cipher AES-256-CBC is supported on later versions of OpenVPN server, but that could just be my failing memory.

I seriously doubt that my VPN use would be incredibly useful to anyone, but it just doesn't seem right that a 1-man code warrior can update his ASUS code so much better than a bazillion dollar corporation does! Do they only treat their lower end routers like this, or do their uber-expensive enterprise grade boxes have this same deficiency?

This is part of the client.opvn file created by the UDR:
auth-user-pass
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

auth SHA1
key-direction 1

The UDR has the latest released updates :
Unifi OS: 4.4.11
Network 10.0.162

So yeah, no excuses. Or are there?

Any thoughts? Thanks!

 

[RMerlin]

SHA1 was deprecated as incredibly easy to crack

As an HMAC, SHA1 is still fine. It's not used for security purposes, it's used for integrity purposes, so it's not an issue.

 

[HarryH3]

As an HMAC, SHA1 is still fine. It's not used for security purposes, it's used for integrity purposes, so it's not an issue.

Good to know! I'm still amazed that you manage to integrate newer versions of third-party packages in your firmware than Ubiquiti does in theirs. Well done, sir!

 

[Tech9]

I believe they use 2.5.x version currently. A new UniFi OS update is in Release Candidate stage, don't know what version will be there, if different. I can only guess software complexity, large ecosystem and 3rd party hardware compatibility requires certain level of stability and coordination. They would rather patch specific issues only than replace a package. I have UniFi gateways on residential networks, but also Netgate gateways on business networks. Netgate use similar approach. They did move to 2.6.x though for DCO.

 

[RMerlin]

Good to know! I'm still amazed that you manage to integrate newer versions of third-party packages in your firmware than Ubiquiti does in theirs. Well done, sir!

Engineering priorities...

They're not the only ones. Mikrotik also uses an ancien version. And Asus only upgraded to 2.6 in Asuswrt 6 because it was necessary for the OpenSSL 3.x upgrade, before that they were still on the 2.4 version that they inherited from my code. I suspect they will stay on 2.4 for all models on the previous version of Asuswrt.

 

[Piotrek]

I believe they use 2.5.x version currently.

This seems to be a custom (UI) build of OpenVPN 2.5.

OpenVPN 2.5.1 [git:HEAD/053febf36f28a97d+] aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 18 2025library versions: OpenSSL 1.1.1w 11 Sep 2023, LZO 2.10Originally developed by James YonanCopyright (C) 2002-2018 OpenVPN Inc <[email protected]>Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

I'm also annoyed by the inability to configure the OpenVPN server to suit my needs.

 

[Tech9]

This seems to be a custom (UI) build of OpenVPN 2.5.

I don't know. Seems like all big vendors avoid something released relatively recently for good reasons.

 

[Piotrek]

OpenVPN 2.6 was released over 3 years ago – which is long enough, in my opinion
I bet it's more about getting users to use Wireguard
The practical lack of GUI configuration options is really frustrating (Asuswrt and Asuswrt-Merlin could be a great example of what should be available).

 

[Tech9]

The practical lack of GUI configuration options is really frustrating

You just set it up and it works with all UniFi gateways. You don't have to explain your settings and don't have to have access to the other side. I find frustrating the amount of settings exposed on a home router.

 

[RMerlin]

For all the flaks some people give at home router manufacturers for not updating components, those "prosumer" products ain't much better there. OpenVPN 2.5.1 - there has been a significant number of fixes (both functionality and security) in the 2.5.x branch alone since that release. No reason not to update to newer 2.5.x releases, OpenVPN only does breaking changes in major releases, like 2.6.x.

I have a customer with a Mikrotik, and their OpenVPN (and OpenSSL) implementation is so antique that I need to manually downgrade security settings in my 2.6.x client to be able to connect with it.

It's not just a random system library there - OpenVPN is a WAN-fronting service for which security is critical. Somehow I doubt that they bothered backporting fixes from newer 2.5.x releases.

 

[Piotrek]

You just set it up and it works with all UniFi gateways.

It works, but for security and performance reasons, I'd like to make a few changes.

Somehow I doubt that they bothered backporting fixes from newer 2.5.x releases.

In my opinion, this isn't the standard version.

OpenVPN 2.5.1 [git:HEAD/053febf36f28a97d+] aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 18 2025

OpenVPN 2.5.1 [git:HEAD/053febf36f28a97d+] aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 18 2025
library versions: OpenSSL 1.1.1w  11 Sep 2023, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <[email protected]>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no