Solved OpenVPN server issue

Zastoff

Very Senior Member
Updated the VPN-client on my android phone today (OpenVPN for Android by Arne Schwabe)
Now when i try to connect to the vpn-server on my AX-88u i get the following
Code:
2021-10-05 15:28:54 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.25-0-g4a9cbd88] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct  4 2021
2021-10-05 15:28:54 library versions: OpenSSL 3.0.0 7 sep 2021, LZO 2.10
2021-10-05 15:28:54 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2021-10-05 15:28:54 MANAGEMENT: CMD 'version 3'
2021-10-05 15:28:54 MANAGEMENT: CMD 'hold release'
2021-10-05 15:28:54 MANAGEMENT: CMD 'bytecount 2'
2021-10-05 15:28:54 MANAGEMENT: CMD 'username 'Auth' ******'
2021-10-05 15:28:54 MANAGEMENT: CMD 'state on'
2021-10-05 15:28:54 MANAGEMENT: CMD 'password [...]'
2021-10-05 15:28:54 MANAGEMENT: CMD 'proxy NONE'
2021-10-05 15:28:55 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2021-10-05 15:28:55 OpenSSL reported a certificate with a weak hash, please the in app FAQ about weak hashes
2021-10-05 15:28:55 MGMT: Got unrecognized command>FATAL:Cannot load inline certificate file
2021-10-05 15:28:55 MANAGEMENT: Client disconnected
2021-10-05 15:28:55 Cannot load inline certificate file
2021-10-05 15:28:55 Exiting due to fatal error
2021-10-05 15:28:55 Process exited with exit value 1
Any advice on how to solve?
Edit:
Installed OpenVPN Connect app and tested and it works, But would like to use the other one since Openvpn Connect do not seem to support CHACHA20-POLY1305

Edit1: added a bit more from log

Edit2: Looks like it will be solved with the next firmware release

Edit3: From 386.4_alpha2 and forward this is fixed, VPN-Servers need to be set to default and reconfigured to get the new cert and keys.
RSA-SHA256
 
Last edited:

eibgrad

Part of the Furniture
For some reason, that Android app seems to think the CA cert has been signed w/ an MD5 hash (which as it says, is considered too weak). But if that cert was generated by the OpenVPN server on Merlin, that's not going to happen. And the fact it works w/ OpenVPN Connect suggests it's NOT using MD5. I have no familiarity w/ that OpenVPN app on Android, so I'm at a loss to explain it. I assume you imported the client .ovpn file generated on Merlin to the Android app.
 

festus77

Occasional Visitor
May be related, someone posted this morning on the AirVPN forums.

 

eibgrad

Part of the Furniture
May be related, someone posted this morning on the AirVPN forums.


Good catch, however, that thread suggests the problem lies w/ AirVPN's CA cert. But the OP's problem involves the router's OpenVPN server and CA cert. What are the odds both would have the same problem at the same time? Seems to me the problem lies w/ the Android app, esp. since OpenVPN Connect works fine. So it's an interesting coincidence, but I'm NOT convinced the problem actually lies w/ the CA cert.
 

fallenoracle

New Around Here
Updated the VPN-client on my android phone today (OpenVPN for Android by Arne Schwabe)
Now when i try to connect to the vpn-server on my AX-88u i get the following
Code:
2021-10-05 15:28:54 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.25-0-g4a9cbd88] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct  4 2021
2021-10-05 15:28:54 library versions: OpenSSL 3.0.0 7 sep 2021, LZO 2.10
2021-10-05 15:28:54 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2021-10-05 15:28:54 MANAGEMENT: CMD 'version 3'
2021-10-05 15:28:54 MANAGEMENT: CMD 'hold release'
2021-10-05 15:28:54 MANAGEMENT: CMD 'bytecount 2'
2021-10-05 15:28:54 MANAGEMENT: CMD 'username 'Auth' ******'
2021-10-05 15:28:54 MANAGEMENT: CMD 'state on'
2021-10-05 15:28:54 MANAGEMENT: CMD 'password [...]'
2021-10-05 15:28:54 MANAGEMENT: CMD 'proxy NONE'
2021-10-05 15:28:55 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2021-10-05 15:28:55 OpenSSL reported a certificate with a weak hash, please the in app FAQ about weak hashes
2021-10-05 15:28:55 MGMT: Got unrecognized command>FATAL:Cannot load inline certificate file
2021-10-05 15:28:55 MANAGEMENT: Client disconnected
2021-10-05 15:28:55 Cannot load inline certificate file
2021-10-05 15:28:55 Exiting due to fatal error
2021-10-05 15:28:55 Process exited with exit value 1
Any advice on how to solve?
Edit:
Installed OpenVPN Connect app and tested and it works, But would like to use the other one since Openvpn Connect do not seem to support CHACHA20-POLY1305

Edit1: added a bit more from log
Having the exact same issue. Reverted to the APK previous version and emailed developer. Only changes mentioned in the update are OpenSSLv3.0, bug fixes, and modernized defaults and compatibility modes to connect to older servers.

OpenVPN Connect works fine as well but prefer OpenVPN for Android with more features.

Will see what the developer says.
 

fallenoracle

New Around Here
So the developer is telling me that it is being signed with SHA1 which is deprecated. So I am unsure what to do here. I am trying EasyRSA but not having any luck, it just sits and says it's working no generating the ovpn file but never comes to fruition.
 

grifo

Senior Member
I've also had this today, I'm temporarily using the workaround mentioned on the app's FAQ, adding tls-cipher DEFAULT:@SECLEVEL=0 to the profile's configuration under Advanced > Custom options. Hopefully there will be a fix soon.
 

fallenoracle

New Around Here
I've also had this today, I'm temporarily using the workaround mentioned on the app's FAQ, adding tls-cipher DEFAULT:@SECLEVEL=0 to the profile's configuration under Advanced > Custom options. Hopefully there will be a fix soon.
I ended up doing the same to not mess with it otherwise, already spent way too much time on it. I realized that Merlin shows last update for OpenVPN is 2.5.3, whereas OpenVPN for Android now 3.0. I am guessing that's the connection. I don't think the work around is a big deal, the connection is still secure, just not "signed" as it expects.
 

elorimer

Very Senior Member
There is this suggestion on github:
Code:
Please do a openssl x509 -noout -text -in cert.pem on the ca and cert to ensure that your certs really do not use SHA1/MD5.
 

eibgrad

Part of the Furniture
FYI. If you have any doubts about the Merlin CAs/CERTs, you can dump them (for server1 and server2) w/ the following commands.

Code:
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_ca
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_crt
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_client_crt
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server2_ca
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server2_crt
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server2_client_crt

As it turns out, mine report sha1.

P.S. All you really need to check is the CA, since that will be used to sign either the client or server certs, which will inherit the same encryption algorithm.
 

mister

Regular Contributor
I have the same problem and firstly tried to make everything new of my openvpn server. But even with completely new configuration and different settings it didn´t worked with openvpn for android.

I pasted in PUTTY the commands ob eibgrad
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_ca
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_crt
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_client_crt
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server2_ca
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server2_crt
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server2_client_crt

without any success with "Openvpn for android" but he was saying:
Signature Algorithm: sha1WithRSAEncryption

Any idea how to transform to stronger encryption without making everything new ?

Thanks a lot ,
hugo

PS: OPenVPN Connect is working by the way....
 

Attachments

  • OPenvpn Server.PNG
    OPenvpn Server.PNG
    28.3 KB · Views: 61

mister

Regular Contributor
It would be nice, if someone of the experts could paste a short how to for me for transforming the configuration :)

Thanks a lot

Hugo
 

eibgrad

Part of the Furniture
AFAIK, you can't "transform" the existing certs/keys. You'd have to generate a new CA cert based on sha256 (or better), which will then be used to generate server/client certs/keys, also based on sha256. And since the router is in control of the choice of algorithm, and I know of no way to change it, you'd probably have to use EasyRSA to rebuild all your certs & keys. As it happens, that's what I normally do anyway (EasyRSA v3), and fwiw, it defaults to sha256, NOT sha1.

If you find it impractical to go through that admittedly tedious process, your better option might be to employ the previous suggestion.

Code:
tls-cipher DEFAULT:@SECLEVEL=0
 

mister

Regular Contributor
Hi Eibgrad,
thanks a lot for your support. Did I understand you correctly, that I am not able to rebuild a new configuration with sha256 via webui or script and export the openvpn files? I would then need to regenerate a new openvpn configuration with another external application and copy and paste the keys to the different fields (webui edit)?

would the router be able to work with that better encryption in general?

your other idea didn't worked - I got that response, as I added the line in the advanced settings

21:04 EVENT(Error): CERT_VERIFY_FAIL: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:0A000086:SSL routines::certificate verify failed
 

elorimer

Very Senior Member
Turning off security with that command worked for me. My sense is that unless the firmware uses sha256 to generate new certs we would have to generate them outside the server and then paste them into the fields. Not looking forward to that but it looks like I've got three chromebooks I'll have to do that for.

EDIT: oh, and then three routers and three windows boxes.
 
Last edited:

eibgrad

Part of the Furniture
your other idea didn't worked - I got that response, as I added the line in the advanced settings

21:04 EVENT(Error): CERT_VERIFY_FAIL: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:0A000086:SSL routines::certificate verify failed

Did you make the change to *both* the server and client configs?
 

eibgrad

Part of the Furniture
Turning off security with that command worked for me. My sense is that unless the firmware uses sha256 to generate new certs we would have to generate them outside the server and then paste them into the fields. Not looking forward to that but it looks like I've got three chromebooks I'll have to do that for.

It will particularly tedious for Merlin users since they are used to having the OpenVPN server auto-generate and export a matching client configuration file. In order to keep the whole process "in order", you'll want to make sure you copy all the client files to the /jffs/openvpn directory too, NOT just the server files, including the CA key (which is NOT part of either the server or client configs per se, but is used to generate any future server or client certs and keys). IOW, this is a messy process and it's easy to make a mistake in overwriting the files in /jffs/openvpn w/ the files generated from EasyRSA. That's why the tls-cipher option is going to prove useful (if not necessary) for a lot of users.
 

eibgrad

Part of the Furniture
would the router be able to work with that better encryption in general?

Google phased out TLS support for sha1 years ago, in favor of sha256. OpenVPN is on the same path. But as a practical matter, sha1 is still safe given it would still take an extraordinary effort to crack it (think state actor w/ lots of $$ and well-defined target, and even then). And realize we're only talking about the command channel here (TLS), NOT the data channel (tunnel). The command channel represents a relatively minor part of the OpenVPN process. Perhaps one way to mitigate any threat (as minor as it might be) would be to use tls-auth or tls-crypt, which adds another level of encryption on top of the TLS connection.

So I would always recommend more security than less. But there's no need for anyone to panic here. Nor hesitate to use the tls-cipher option for the time being. It's not like the use of sha1 in the present situation is hanging you out to dry.

JMTC
 
Last edited:

LilyKim

Occasional Visitor
Turning off security with that command worked for me. My sense is that unless the firmware uses sha256 to generate new certs we would have to generate them outside the server and then paste them into the fields. Not looking forward to that but it looks like I've got three chromebooks I'll have to do that for.
Not sure what I am doing wrong. I've made all my cert stuff following the guide on OpenVPN yet when I paste them in and apply the server gets stuck on:
Initialinzing the settings of OpenVPN server now, please wait a few minutes to let the server to setup completed before VPN clients establish the connection.
 

fallenoracle

New Around Here
Not sure what I am doing wrong. I've made all my cert stuff following the guide on OpenVPN yet when I paste them in and apply the server gets stuck on:
Initialinzing the settings of OpenVPN server now, please wait a few minutes to let the server to setup completed before VPN clients establish the connection.
I get the same with EasyRSA. I'm comfortable with the work around for now I guess.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top