doczenith1
Very Senior Member
Well for whatever reason I am still able to connect to my ovpn server after updating the OpenVPN for Android app. I was getting ready to apply the work around but thought I'd try to connect first and it just connected.
Solved OpenVPN server issue
- Thread starter Zastoff
- Start date
fallenoracle
Occasional Visitor
Anyone know if Merlin or Asus have any plans soon to update this certificate issue?
L&LD
Part of the Furniture
At least @doczenith1 doesn't have any issues.
RMerlin nor Asus need to do anything if it works as expected.
Your network setup is suspect. That is where you need to turn the investigation to.
RMerlin nor Asus need to do anything if it works as expected.
Your network setup is suspect. That is where you need to turn the investigation to.
fallenoracle
Occasional Visitor
I'm confused. How would my network setup be suspect if I have no control over what is built into the router in signing the certificate aside from a tedious process that defeats the purpose of such feature? I'm also clearly not the only one having the issue. And why are we signing certificates with such an outdated method?
L&LD
Part of the Furniture
You don't need control (necessarily) for your network, specifically, to be in question.
Your router, your client device(s), your choice of firmware and/or VPN providers, and any and all combinations thereof, are the culprit, today.
I can't see how this is something that Asus or RMerlin can successfully attack, today.
Your router, your client device(s), your choice of firmware and/or VPN providers, and any and all combinations thereof, are the culprit, today.
I can't see how this is something that Asus or RMerlin can successfully attack, today.
fallenoracle
Occasional Visitor
I guess without knowing more about the back end I'm not sure how complicated it really is. Just in reading this article this is something that should have been fixed some time ago, obviously by Asus.
I'm using the latest Merlin firmware and the devices using the router VPN server are definitely not old, less than a year.
openvpn.net
I'm using the latest Merlin firmware and the devices using the router VPN server are definitely not old, less than a year.
MD5 Signature Algorithm Support
Details on why we don't recommend using MD5 as an algorithm and its insecurities.
Stop. This is an issue --a very specific and repeatable issue--connecting to an Asus router running Merlin from something running on Android because the AsusMerlin firmware is encoding a cert with SHA1. One fix is for that something not to be so sensitive, and that's been figured out, the other is exploring whether the cert can/should be encoded with something else. This isn't something swanning around, and no VPN provider in the mix.
Last edited:
I updated, had no problem, and then updated again and had this exact problem, which went away with the exact workaround.
How did you create your certificates? Because mines have a SHA256 signatures here...
Code:
admin@stargate88ax:/jffs/openvpn# openssl x509 -in vpn_crt_server1_crt -noout -text | grep Signature
Signature Algorithm: sha256WithRSAEncryption
Digital Signature, Key Encipherment
Signature Algorithm: sha256WithRSAEncryptionIn fact, I "fixed" that 5 years ago.
Code:
commit 2e150ce55828638fb2fb474468e01c73fdfbd6cb
Author: Eric Sauvageau <[email protected]>
Date: Fri Dec 23 12:22:55 2016 -0500
openvpn: Use sha256 for key/certs generated by Easy-RSA (used by key/certs auto-generated by the firmware)EDIT: it's a regression. I fixed that 5 years ago, but when I replaced my patched easy-rsa with Asus' own, my fix got lost.
Last edited:
fallenoracle
Occasional Visitor
Interesting. For me all I did originally is setup the VPN server with the defaults, worked fine up until yesterday with the update to OpenVPN for Android. I've since reset etc and it's still doing the same thing unless I put the work around in.
See my updated post. I fixed that 5 years ago, but when I merged Asus's upstream code with the big 386 merge, the change got lost. So certs generated under 384 used SHA256, but since 386.1 they were generated with SHA1.
fallenoracle
Occasional Visitor
Okay whew. Thanks for getting on here and checking!
I only made it on the app. I added it to the servers and now the workaround is working. Thanks a lot for your support.
In principle I will try to harden the encryption as it is recommend. I will take a look on that.....
Thanks a lot Merlin for your explanation.
For me it seems, that we are currently save even with the sha1 encryption. You said, that you changed it in the old firmware version. So will you do that fix in the next version of your current - very excellent - firmware as well ? And if so , what would be the consequences for me ? Just delete the OpenVPN Servers via setting it on standard configuration and setup them again ?
Thanks a lot for your support.
Hugo.
Yes, I will reapply the fix for a future release. People would need to regenerate keys and certificates if they want to switch to SHA256 signatures and they were using certs generated with 386.x or with the stock firmware.
SHA1 signatures are not a real security concern in this case.
SHA1 signatures are not a real security concern in this case.
Hi Merlin,
thanks a lot for your quick reply and your explanation . As I said, I appreciate your work and support very much. When the next Merlin firmware will be released, I setup my both OpenVPN Servers again , as I did it in the past via webui and export the .ovpn files. If I understood you right, I will then automatically get the sha256 encrypted certificates.
Thanks a lot again.
Hugo
LilyKim
Occasional Visitor
Thanks for the update, and for saying it isn't a real security concern, which was my biggest worry!
This has been such a stable app for years, much better than the official app, but just at the moment is in a strange place. Somewhat ironically the changelog says that it has been revised to improve compatibility with older servers! And we need now to make changes in an area marked "you are on your own here
". (Smiley in original).Every single config I have is throwing errors with .7.26. With apologies to @L&LD, that includes VPNUnlimited. But now I know how to fix those.
Similar threads
Similar threads
Similar threads
-
-
ASUS Merlin on RT-AC86U OpenVPN Server not blocking IP when a client connects- Started by Harry Azcrac
- Replies: 2
-
OpenVPN Server - Client speeds seem capped at 20mbps??
- Started by Futuristic
- Replies: 2
-
-
-
-
Why doesn't the OpenVPN client support adding a shadowsocks proxy to it by default?- Started by Zakalwe
- Replies: 1
-
-
Planning to remove some obsolete OpenVPN settings in the near future- Started by RMerlin
- Replies: 1
-