OpenVPN configuration not compatible with OpenVPN Connect 3.4.0

[Marty]

Ok, back to the OP's quest for a solution....I have just run across this same issue after updating the OpenVPN app on my phone to 3.4.1. I have spent time discussing this with OpenVPN, who were very helpful and ASUS who were not helpful. I have the ASUS RT-AC87U and am running the latest firmware. After realizing that the 3.4.1 version of the OpenVPN app's default security level was causing the "You are using insecure hash algorithm in CA signature." error, I went into my router and changed the Encryption cipher to AES 256 CBC in combination with using SHA256 for the HMAC Authentication and then created a new client.opvn file. However that did not work.

The OpenVPN tech looked at my log files from the phone and found the following.. .. "[Jan 17, 2024, 13:38:47] EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future"

This is the same thing @RMerlin said in his reply to the OP. The OpenVPN tech said... "In the case of your server (my router), the encryption cipher and the hash are using secure options, but the signature in the certificate is using a weak one." This matches what the error msg says from the OP ( @Volkis ) and on my phone. My router does not offer me the "Renew Certificate" button like some ASUS router screens I've seen on the internet while searching for a solution. It doesn't seem to matter which ciper or HMAC authentication I use, when applying my changes and then clicking Export, the file is signed with SHA1 and the new OpenVPN app rejects it. Sure I can use the lowest security option in the phone app but I would rather solve this issue instead and I don't have time right now to look for a new router and set it up as I'm about to go on travel and wanted to use the VPN on my phone. - ugh.

Does anyone know a way to solve this?

 

[jsbeddow]

Ok, back to the OP's quest for a solution....I have just run across this same issue after updating the OpenVPN app on my phone to 3.4.1. I have spent time discussing this with OpenVPN, who were very helpful and ASUS who were not helpful. I have the ASUS RT-AC87U and am running the latest firmware. After realizing that the 3.4.1 version of the OpenVPN app's default security level was causing the "You are using insecure hash algorithm in CA signature." error, I went into my router and changed the Encryption cipher to AES 256 CBC in combination with using SHA256 for the HMAC Authentication and then created a new client.opvn file. However that did not work.

The OpenVPN tech looked at my log files from the phone and found the following.. .. "[Jan 17, 2024, 13:38:47] EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future"

This is the same thing @RMerlin said in his reply to the OP. The OpenVPN tech said... "In the case of your server (my router), the encryption cipher and the hash are using secure options, but the signature in the certificate is using a weak one." This matches what the error msg says from the OP ( @Volkis ) and on my phone. My router does not offer me the "Renew Certificate" button like some ASUS router screens I've seen on the internet while searching for a solution. It doesn't seem to matter which ciper or HMAC authentication I use, when applying my changes and then clicking Export, the file is signed with SHA1 and the new OpenVPN app rejects it. Sure I can use the lowest security option in the phone app but I would rather solve this issue instead and I don't have time right now to look for a new router and set it up as I'm about to go on travel and wanted to use the VPN on my phone. - ugh.

Does anyone know a way to solve this?

It sounds like you need to completely reset the OpenVPN connection and generate new certificates: use the "reset to default" button. Then reconfigure from scratch, with new 2048 bit certificate, and ultimately re-export your config file to your devices. A hassle, but probably the only way to resolve this.

 

[Marty]

It sounds like you need to completely reset the OpenVPN connection and generate new certificates: use the "reset to default" button. Then reconfigure from scratch, with new 2048 bit certificate, and ultimately re-export your config file to your devices. A hassle, but probably the only way to resolve this.

Thanks for the reply! Do you mean a factory reset on the router?

 

[ColinTaylor]

Thanks for the reply! Do you mean a factory reset on the router?

No, he meant reset the VPN configuration settings using the "Default" button.

 

[Marty]

No, he meant reset the VPN configuration settings using the "Default" button.

Hmmm, well, I just looked at both the General and Advanced Settings screen for the built in OpenVPN on my router and I don't have a Reset button. Just like I don't have a Renew Cert button.

 

[ColinTaylor]

Hmmm, well, I just looked at both the General and Advanced Settings screen for the built in OpenVPN on my router and I don't have a Reset button. Just like I don't have a Renew Cert button.

Post a screen shot of the whole page. Your firmware is so old that we can't remember what it used to look like.

 

[Marty]

Tell me about it, I know it's old, in tech years probably like 200! Ok, here they are.. ..

 

[ColinTaylor]

Sorry, I thought you were running Merlin's firmware as this is the Merlin forum. But it looks like you're not. Merlin's implementation of OpenVPN is different than Asus' so the available options are different too.

It looks like you're out of luck using the GUI. Short of factory resetting the entire router the only other thing I can suggest is that you SSH into the router and try and reset the VPN settings from there.

 

[Marty]

Yowza, after reading your note I did find where I happened upon the Merlin forum. I got to this forum via an internet search of my error msg. I should really go to the ASUS wireless forum and post there. Thanks for telling me that. Well I'm about to head out of town, no time to mess around with resets, etc so will live with it till I get back if the ASUS wireless forum doesn't have a magic wand but I suspect no one will. Thanks for our responses.

 

[Pergola Fabio]

i also renew to 2048 bits file, imported the new profile... But OpenVPN connect says its missing the certificate... So i export it from the Asus router page, i click "export currecnt certificate" ...
It then saves me a .cert file, but open vpn connect tool asks for a .pf12 .pkcs12 .pfx file ...
How can i export that file?

In the old .ovpn proifle , there was the certificate included... it the file itself ...now with the new exported file, its missing that part

How to continue?

 

[Pergola Fabio]

I have the setup below
I now added these sections to my .ovpn file... manually
When i then import the file in openvpn connect, it doesnt asks me for a certf file now

but upon connecting, i get this error

Feb 13 21:03:28 ovpn-server1[19655]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.0.187:58826 (via [AF_INET]xxxxx%br0)
Feb 13 21:03:29 ovpn-server1[19655]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.0.187:58826 (via [AF_INET]xxxx%br0)

<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxx

-----END PRIVATE KEY-----
</key>