What's new

Asus RT-AC86U - Firmware update 386.9_0 (most recent update) breaks the easy-rsa package as there is no openssl-1.1.1.cnf file

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

abraxas86

Occasional Visitor
Not too sure where to post this, hopefully this is the right place...

I'm doing my best to follow the tutorials to get an OpenVPN server going for intermittent use on my home router. I'm up to my neck in documentation for everything, but I'm reaching a point where I'm not sure how much more I can branch out before I start losing everything I've gathered.

I'm trying to use the easy-rsa package that comes with the router (for the sake of consistency with the wiki tutorial)

After setting up the vars and trying to run source ./vars, I encountered an error that it couldn't find the .cnf file (specifically, "No /mnt/sda1/easy-rsa/openssl.cnf file could be found")

I read the script to see what it was doing - it's checking the version of OpenSSL that's installed, and tries to call the appropriate .cnf file based on the version, however there is no openssl-1.1.1.cnf. The only .cnf that comes with the package is openssl-1.0.0.cnf

I'm not confident enough that I can just rename the 1.0.0 to make it work, and I'm not sure I'd be able to troubleshoot any further to make sense of anything that goes wrong at that point. I don't even know how many people use this script often - I could likely do it from my Linux computer without issue, but the vars file I got there was much different from the one in the tutorial and I didn't want to mess it up...

No rush on a solution, I'm gonna take a nap for a bit and maybe take another swing at this all later with a refreshed mind, but if anybody could point me in the right direction I would be grateful.

Thanks in advance.

[EDIT] Realized I should probably check the easy-rsa side of things. Looks like the package included with the router is the older version. It should be updated to version 3 which I think includes support for OpenSSL 1.1.1. It's also why the vars file I had locally looked so much different from the one on the router. Anyway, gonna get some sleep - I'll take another crack at it later.
 
Last edited:
I started work on migrating to easy-rsa3 about one or two years ago, and dropped the idea while in the middle of the project due to multiple issues coming up during the process. Portions of the firmware use easy-rsa, all that code has to be rewritten to work with with easy-rsa3, which might completely break things for any portion of the code using it that may be closed source and outside of my control.
 
Thanks! I'll do my best to get the CA stuff set up on my laptop and transferred to the router. If I understand you correctly, the only problems are with the easy-rsa script stuff to set up the CA.

Might be worth removing the easy-rsa stuff from the image altogether, and update the documentation to note that it's deprecated.

Maybe temporarily include a script called setuprsa.sh, but have it just echo that the old process is no longer possible due to the need to integrate easy-rsa3?

Not to tell you what to do, just some suggestions to help transition things.
 
Might be worth removing the easy-rsa stuff from the image altogether
No, because as I wrote, the firmware itself uses it, which is why I cannot safely make drastic changes to it.
 
Although kinda frowned upon I store my ca, key, cert, tls-crypt, dh files on a USB on the router

If you're on a windows machine you can download the Openvpn installer and Easyrsa3 is included if you add the option in custom install

Setup your vars file in the program files/openvpn/easy-rsa folder and from the command line run Easyrsa-Start.bat

And I follow the PKI procedure: Producing your complete PKI on the CA machine guide to create the ca, certs and keys then transfer the required files to my server on the router and to clients
 
That's what I've done and it works fine. I follow the instructions in this site: https://firxworx.com/blog/devops/cr...keys-for-openvpn-server-with-easyrsa-on-macos

Additionally, I create the static key on the router itself and use tls crypt.

It's working fine on a AC68U router with 386.9_0 (I set it up for a friend)

Hope that helps.

I've tried this, but I'm still messing something up. It can't find the dh.pem file and I have no idea where I'm supposed to store it. If we're copy/pasting the value of these files into their respective boxes, I don't understand why the files themselves even need to be stored anywhere on the filesystem?

This while thing is weird - pretty much all the googling and stuff I've done makes it seem like this should be as straight-forward as turning the switch to "on", creating accounts, and then hitting apply. All the tutorials and such that I've found make no reference to having to do any of this configuration...

All I wanted was a way to get an internal IP address on my phone while I was outside of my home network so that I could access resources on my home network easier.
 
Well, it was like that for me at the beginning. Let's begin with the keys generated by easy-rsa:

In the PKI folder you'll find the "ca.crt" and "dh.pem files". Open them with a text editor and copy and paste the contents in the respective places (see attached "Keys and certificates" image).

Same with "server.crt" in the "issued" folder and "server.key" in the "private" folder.

Then copy and paste the static key generated in your router.

I'm including a screenshot of my general settings as well.

Let's get your OpenVPN server running first. Then you'll have to craft the .ovpn files for the different clients.
 

Attachments

  • OpenVPN server settings.png
    OpenVPN server settings.png
    128.8 KB · Views: 61
  • Keys and certificates.png
    Keys and certificates.png
    60.7 KB · Views: 61
Well, it was like that for me at the beginning. Let's begin with the keys generated by easy-rsa:

In the PKI folder you'll find the "ca.crt" and "dh.pem files". Open them with a text editor and copy and paste the contents in the respective places (see attached "Keys and certificates" image).

Same with "server.crt" in the "issued" folder and "server.key" in the "private" folder.

Then copy and paste the static key generated in your router.

I'm including a screenshot of my general settings as well.

Let's get your OpenVPN server running first. Then you'll have to craft the .ovpn files for the different clients.

That's what I did, but it's not sticking... Do you need USB storage/jffs for it to work? That's the only thing I don't have right now.

Also, are those fields that we fill in with the key/certificate blocks supposed to be persistent? When I leave and come back to them, they're all empty again. I thought this was by design for the sake of security, but maybe not lol
 
That's what I did, but it's not sticking... Do you need USB storage/jffs for it to work? That's the only thing I don't have right now.
No, it's not necessary

Also, are those fields that we fill in with the key/certificate blocks supposed to be persistent? When I leave and come back to them, they're all empty again. I thought this was by design for the sake of security, but maybe not lol
They should be persistent. After clicking the Save button when you enter the keys, did you press "Apply" in the OpenVPN settings?
 
Yeah - clicked the apply button or whatever at the bottom of the keys/certs pop-up, then hit apply at the bottom of the OpenVPN page.

The router shows the loading animation, the over on the log page, it shows the dh.pem error, then the OpenVPN page goes back to the general settings.

All the other settings seem to save, but the keys/certs boxes are all empty if you click the "edit" button again.

Maybe a wonky firmware update on my end. I'll try re-patching tonight. If that fails, I guess I could scribble everything down on paper, do a factory reset, then manually load everything in again. Other than that, would the router wipe the info if one or more of the files I made weren't valid for some reason?
 
@abraxas86 I really don't understand why you're trying to manually create keys/certificates using easy-rsa or any other external program. It's completely unnecessary if you just want to enable the VPN server. Just turn the server "On", click Apply and that's it. It automatically generates the keys and certificates, you don't need to do anything else.
 
@abraxas86 I really don't understand why you're trying to manually create keys/certificates using easy-rsa or any other external program. It's completely unnecessary if you just want to enable the VPN server. Just turn the server "On", click Apply and that's it. It automatically generates the keys and certificates, you don't need to do anything else.
I tried this, and it failed which is how I ended up in the easyrsa rabbit hole - I thought maybe I needed to generate that additional info to get things working.
 
I tried this, and it failed which is how I ended up in the easyrsa rabbit hole -
The only reason I can think of that would cause it to fail would be if your router's /jffs partition was full. Check it at Tools - System Information > Internal Storage.

I thought maybe I needed to generate that additional info to get things working.
No this is not necessary.

Go back to your VPN server and click on the "Default" button. Wait for it to complete. Then turn it "On" again and click "Apply". That's it.
 
The only reason I can think of that would cause it to fail would be if your router's /jffs partition was full. Check it at Tools - System Information > Internal Storage.


No this is not necessary.

Go back to your VPN server and click on the "Default" button. Wait for it to complete. Then turn it "On" again and click "Apply". That's it.

This did it! Apparently I didn't have the jffs partition set. Set to format on next boot, rebooted, and it's working perfectly. Thanks!

Learned a lot through this whole thing, I'm not even mad lol. Thanks all for the help.
 
I believe @abraxas86 has previous experience with equipment where it had to be done manually.
Like me! If I'm not mistaken, firmware 384.xx didn't have these keys generated by default. That's why I learned this, and I didn't know it had changed.

Are the keys and certs generated by the router good enough? If there is no advantage in using easy-rsa, then I have pone less thing to worry about...
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top