Adam Networks - AsusWrt Merlin

[BadWolfe]

Your VPN client file contains and invalid remote line.

From what you've indicated before you're trying to put something in there which contains an @ character. That is invalid. It should be your router's public IP address (e.g. 123.44.55.66) or a valid DDNS name (e.g. myhostname.org).

The example you gave earlier, 172.172.172.172@xxxxxxx.org is not valid.

Thank you for the reply. The OpenVPN Server generated that remote address. It is my DDNS entry and my host name entry is @ and my Domain Name is bigbadw.org.

I will go into the client and take the @ character out and see if that works?

 

[BadWolfe]

Your VPN client file contains and invalid remote line.

From what you've indicated before you're trying to put something in there which contains an @ character. That is invalid. It should be your router's public IP address (e.g. 123.44.55.66) or a valid DDNS name (e.g. myhostname.org).

The example you gave earlier, 172.172.172.172@xxxxxxx.org is not valid.

SOLVED!
Like a charm! Removed the @ character, reloaded the client configuration and BAM! connects right up!
Thank you for the help!

 

[BadWolfe]

I noticed that I am unable to connect from the client when I select the "Preferred (Recommended)" security level.
But I can connect with the Legacy security level.

The client error code states: Connection Failed. OpenSSLContext:
SSL_CTX_use_certificate failed:
error: 0A00018F:SSL routines::ee key too small

I suspect there is a Server configuration that needs to be set up properly?

 

[ColinTaylor]

I noticed that I am unable to connect from the client when I select the "Preferred (Recommended)" security level.
But I can connect with the Legacy security level.

The client error code states: Connection Failed. OpenSSLContext:
SSL_CTX_use_certificate failed:
error: 0A00018F:SSL routines::ee key too small

I suspect there is a Server configuration that needs to be set up properly?

My first guess would be that you need to go to your VPN server's General Settings and set RSA Encryption = 2048 bit.

 

[BadWolfe]

My first guess would be that you need to go to your VPN server's General Settings and set RSA Encryption = 2048 bit.

I am just not finding RSA Encryption = 2048 bit.
VPN Server - General1 -
Even when I select advanced settings.
(apologies for being a pain)

 

[ColinTaylor]

Do you have this:

 

[BadWolfe]

I do not have that option showing.

 

[ColinTaylor]

I do not have that option showing.

You said previously that you're using Merlin's firmware 3004.388.8_4 but that doesn't seem to be the case?

Set the VPN server to OFF and Apply that change. Then select ON and you should see the RSA option appear.

 

[BadWolfe]

You said previously that you're using Merlin's firmware 3004.388.8_4 but that doesn't seem to be the case?

Set the VPN server to OFF and Apply that change. Then select ON and you should see the RSA option appear.

Holy heck Batman. Just like you said. Thank you.
Ok, I will start testing with this new setting now.

 

[BadWolfe]

I am currently experiencing issues getting OpenVPN working properly.

Still not able to set the OpenVPN client to use the recommended security level: Preferred.
I have set up the OpenVPN server by selecting: RSA 2048 bit, selected apply, then generated a new OpenVPN client.

Yet still, the OpenVPN client generates the attached error message. (note: Legacy security level does work).

 

[ColinTaylor]

I am currently experiencing issues getting OpenVPN working properly.

Still not able to set the OpenVPN client to use the recommended security level: Preferred.
I have set up the OpenVPN server by selecting: RSA 2048 bit, selected apply, then generated a new OpenVPN client.

Yet still, the OpenVPN client generates the attached error message. (note: Legacy security level does work).

OK I've recreated the problem. It appears to be a bug/feature - you can't change the RSA size for an existing VPN server profile (it just ignores the change).

What you need to do is remove the current profile by clicking the "Default" button at the bottom of the page, then create it afresh. Export the new config and it should work.

 

[BadWolfe]

OK I've recreated the problem. It appears to be a bug/feature - you can't change the RSA size for an existing VPN server profile (it just ignores the change).

What you need to do is remove the current profile by clicking the "Default" button at the bottom of the page, then create it afresh. Export the new config and it should work.

Dude, you are amazing. Appreciate all the work you went through helping me here. I will do that now. (I was afraid to hit that "Default" setting, being concerned it would mess up the router)

 

[BadWolfe]

SOLVED. That was definitely the last issue! Thank you again ColinTaylor!

 

[Martinski]

OK I've recreated the problem. It appears to be a bug/feature - you can't change the RSA size for an existing VPN server profile (it just ignores the change).

Well, you can actually, but admittedly, the crucial step might not be readily obvious or intuitive at first. Here are the full steps to change the RSA encryption key size for an already configured OpenVPN Server:

- Toggle the OpenVPN Server instance to "OFF" (#1) and then click on the "Apply" button (#2).

- Toggle the OpenVPN Server instance back to "ON" (#3), select the RSA key size (#4), and then click on the "Apply" button (#5) found at the bottom of the "Username and Password" section. You do *not* need to click on the "Default" button.

- Finally, the most crucial part is to click on the "Renew" button (#6) *before* you export the OpenVPN client configuration. This "Renew" step regenerates the keys and certificates using the previously selected RSA key size.

That's it.

 

[Jeffrey Young]

Well, you can actually, but admittedly, the crucial step might not be readily obvious or intuitive at first. Here are the full steps to change the RSA encryption key size for an already configured OpenVPN Server:

- Toggle the OpenVPN Server instance to "OFF" (#1) and then click on the "Apply" button (#2).
View attachment 64641

- Toggle the OpenVPN Server instance back to "ON" (#3), select the RSA key size (#4), and then click on the "Apply" button (#5) found at the bottom of the "Username and Password" section. You do *not* need to click on the "Default" button.
View attachment 64642
View attachment 64643

- Finally, the most crucial part is to click on the "Renew" button (#6) *before* you export the OpenVPN client configuration. This "Renew" step regenerates the keys and certificates using the previously selected RSA key size.
View attachment 64644

That's it.

Now that is clear as mud for an average user to figure out! How long did it take you to figure this out?

 

[Martinski]

Now that is clear as mud for an average user to figure out! How long did it take you to figure this out?

I put the "pieces together" about 7-8 years ago. I don't recall exactly when, but it was well before the COVID-19 lockdowns started, and I was not even specifically looking to change the RSA key size.

You see, I was managing my parents' & my in-laws' network routers (a pair of RT-AC68Us back then), and I had set up the OpenVPN Servers so that I could remotely log in and check things out whenever they had some issues or wanted me to tweak some settings. I had the 2 OpenVPN servers for each router configured exactly the same (except for port number & IP subnet address, of course), but only the 1st server was left enabled/active. The 2nd server was a backup just in case the 1st one was, for some reason, not active or running, and my watchdog script would automatically enable & start the 2nd server.

During the process of setting all this up, I noticed that the RSA key size option became available only when toggling the OpenVPN server OFF and then back ON. Later on, while playing with some options, I read the tooltip that pops up for the "Renew Certificate" title (see sample screenshot below), which was the key piece indicating how to regenerate the keys & certificates when needed *without* reconfiguring the server.

So, to try to answer your question, I figured out the steps not in one single session, but it was more of a series of events that led me to the serendipitous discovery while setting up & testing the 2 OpenVPN servers so they would operate the way I wanted them to for my parents & in-laws.

 

[Jeffrey Young]

I put the "pieces together" about 7-8 years ago. I don't recall exactly when, but it was well before the COVID-19 lockdowns started, and I was not even specifically looking to change the RSA key size.

You see, I was managing my parents' & my in-laws' network routers (a pair of RT-AC68Us back then), and I had set up the OpenVPN Servers so that I could remotely log in and check things out whenever they had some issues or wanted me to tweak some settings. I had the 2 OpenVPN servers for each router configured exactly the same (except for port number & IP subnet address, of course), but only the 1st server was left enabled/active. The 2nd server was a backup just in case the 1st one was, for some reason, not active or running, and my watchdog script would automatically enable & start the 2nd server.

During the process of setting all this up, I noticed that the RSA key size option became available only when toggling the OpenVPN server OFF and then back ON. Later on, while playing with some options, I read the tooltip that pops up for the "Renew Certificate" title (see sample screenshot below), which was the key piece indicating how to regenerate the keys & certificates when needed *without* reconfiguring the server.

View attachment 64668

So, to try to answer your question, I figured out the steps not in one single session, but it was more of a series of events that led me to the serendipitous discovery while setting up & testing the 2 OpenVPN servers so they would operate the way I wanted them to for my parents & in-laws.

The things we do for our parents, in-laws and family. Thanks for the explanation. I saved your observations. I am sure it will come in handy.