RT-AC87U & OpenVPN: Using insecure hash algorithm in CA Sig

[Marty]

Intro: I know now that this is not a new issue but I just ran into it and I don't think ASUS is going to resolve it so thought I post here in case someone found a solution. I know the work around is just to use a lower security level in the OpenVPN phone app, I'll default to that for now if I have to but would rather find a better solution until I can replace my router.

Issue: I have just run across this after updating the OpenVPN app on my phone to 3.4.1. I have spent time discussing this with OpenVPN, who were very helpful and ASUS who were not helpful. I have the ASUS RT-AC87U (yeah its old) and am running the latest firmware (yeah, that's old too After realizing that the 3.4.1 version of the OpenVPN app's default security level was causing the "You are using insecure hash algorithm in CA signature." error, I went into my router and changed the Encryption cipher to AES 256 CBC in combination with using SHA256 for the HMAC Authentication and then created a new client.opvn file. However that did not work, got the same error.

The OpenVPN tech looked at my log files from the phone and found the following.. .. "[Jan 17, 2024, 13:38:47] EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future"

The OpenVPN tech said... "In the case of your server (my router), the encryption cipher and the hash are using secure options, but the signature in the certificate is using a weak one." This matches what the error msg says on my phone. My router does not offer me the "Renew Certificate" button like some ASUS router screens I've seen on the internet while searching for a solution, maybe that due to me running ASUS firmware and not Merlin, I don’t know. It doesn't seem to matter which ciper or HMAC authentication I use, when applying my changes and then clicking Export, the file is signed with SHA1 and the new OpenVPN app rejects it. Sure I can use the lowest security option in the phone app but I would rather solve this issue instead and I don't have time right now to look for a new router and set it up as I'm about to go on travel and wanted to use the VPN on my phone. - ugh.

Does anyone know a way to get my router to sign with a more secure algorithm, like SHA254 or?

 

[thaper0007]

Hi, Did you find the solution ? I am having the same issue.

 

[Marty]

Hi, Did you find the solution ? I am having the same issue.

I worked with both ASUS and OpenVPN. ASUS said my router was too old and to buy a new one! OpenVPN said that as time goes on, they continue to upgrade their security protocols. So, all I could do was to downgrade the security option in OpenVPN on my phone and laptop, see attached screenshot. This worked and will suffice till I do actually buy a new router

 

[RMerlin]

OpenVPN Connect is quite picky. I also had to set it to "Insecure" mode to connect to a new QNAP NAS that was configured less than a year ago for a customer.

 

[Marty]

I'm ok with that, I'd rather error on the safer side. Choosing the Insecure option doesn't mean it's a giant risk, it's just the least secure of all their protocols. Their latest client version is pretty recent, that is when they upped their game and my old connection no longer worked. I already knew my router was old and in a way am glad this happened because it will force me to finally change and upgrade my router which I've wanted to do for a while now. I was just being lazy and didn't want to go in search of new routers and rebuild my network.
I am considering a Ubiquity Edge router and a couple of access points this time instead of an all-in-one WiFi router. Any suggestions on that?

 

[Tech9]

I am considering a Ubiquity Edge router and a couple of access points this time instead of an all-in-one WiFi router. Any suggestions on that?

Dream Router is better. Comes with CloudKey and has 2x PoE LAN ports. Just add 2x APs for a complete 3x APs UniFi system.

Dream Router - Ubiquiti Store

Desktop UniFi Cloud Gateway with an integrated WiFi 6 access point and PoE switch.

store.ui.com

Access Point U6 Pro - Ubiquiti Store

Ceiling-mounted WiFi 6 AP with 6 spatial streams designed for large offices.

store.ui.com

Good for up to 700Mbps Internet line when built-in IPS/IDS is used. Some users say with newer firmware releases can do more.

 

[Chinquapin]

Marty,

Thanks for posting, I just began to configure an OpenVPN server on my Asus RT-AC56U (also old). Like you, I found that only by setting the "Insecure" mode could I connect from my Android OpenVPN client. What perplexes me is WHY my certs are being seen as insecure. I chose the HIGHEST levels of encryption available to the router interface. Can I possibly assume that (in spite of the warnings about "Insecure") that the encryption strengths and protocols selected when creating the .ovpn file are in fact actually the ones in use when the "insecure" connection is established?

I have a rather limited scope for using a VPN. Specifically, I need to connect a single application through a specified internal IP address for 2-3 minutes at a time several times a day. This is to allow synchronization of a complicated but very small calendar database between several mobile (Android) devices and the server database. There is no other use intended. I can restrict connections on the OoenVPN server side to that small number of devices.

The risk seems lower than my current sync approach, which requires a Dropbox intermediary. If the risk IS actually as low as I hope w OpenVPN, it would be more convenient than the thrash of getting a new router (e.g., RT-AX86U) w more up-to-date OpenVPN Server.

Thoughts? Thanks.

 

[drumcheese]

@Marty

For me this issue was solved by clicking on Renew Certificate as shown in the screenshot below, and downloading and importing the new OVPN config file. I'm on firmware version 3.0.0.4.386_51685 of the original Asus firmware on a Asus RT-AC66U B1.

This also silenced the warning about --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM) that was showed when using the Windows OpenVPN client. They seem to have solved this by adding ignore-unknown-option cipher data-ciphers but still keeping AES-256-CBC for the options cipher and data-ciphers.

I don't know if they chose that route because AES-256-GCM is not supported on this router, but it's not available under Advanced Settings > Encryption cipher. But instead of adding an option for ignoring unknown options, I think it would've been preferable to just go with the recommendation provided in the warning which is to "Add AES-256-CBC to --data-ciphers or change --cipher AES-256-CBC to --data-ciphers-fallback AES-256-CBC to silence this warning". I've therefore edited the config generated by the router from this:

ignore-unknown-option cipher data-ciphers
cipher AES-256-CBC
data-ciphers AES-256-CBC

to this:

data-ciphers AES-256-CBC
data-ciphers-fallback AES-256-CBC

 

[Marty]

Right, renewing the cert would work IF my router had a Renew button but it does not and ASUS said my router is no longer supported and will not be getting any further updates and suggested I buy a new one :-(

 

[drumcheese]

Sorry, I don't know how I missed the part about the missing Renew button. It seems weird that both RT-AC66U B1 and RT-AC87U are listed as end-of-life here, yet the former is still receiving updates (the latest one from just around a month ago) while the latter saw it's last update in 2021.

 

[Marty]

Personally I think the RT-AC87U was a lame duck from the outset, it had major issues with the 5G band due to a new chip they were using and they probably couldn't wait to make it obsolete. I bought a new one, it had stability issues, I think heat related, on the 5G band so I sent it back for repair. They sent me a replacement (refurbished) and it had the same issues so that went back too and then sent me another one that finally worked. While I like their user interface, I'm not going to buy another ASUS because working with them on any issue is painful. They take forever to respond and their replies are super short which just leads to more questions as you try to understand what they are saying.