Default OpenVPN server no longer works with OpenSSL 3

[automaton]

I have an RT-AC68U running Merlin 386.3_2.

It's running OpenVPN with basic setup. All I did was enable it and added a user.

This has always worked until now with some latest OpenVPN clients it won't connect with:

9:14 a.m. library versions: OpenSSL 3.0.0 7 sep 2021, LZO 2.10
9:14 a.m. OpenSSL: error:0A00018E:SSL routines::ca md too weak
9:14 a.m. OpenSSL reported a certificate with a weak hash, please the in app FAQ about weak hashes

Any idea why the default OpenVPN config no longer works?

 

[octopus]

I have an RT-AC68U running Merlin 386.3_2.

It's running OpenVPN with basic setup. All I did was enable it and added a user.

This has always worked until now with some latest OpenVPN clients it won't connect with:

9:14 a.m. library versions: OpenSSL 3.0.0 7 sep 2021, LZO 2.10

9:14 a.m. OpenSSL: error:0A00018E:SSL routines::ca md too weak

9:14 a.m. OpenSSL reported a certificate with a weak hash, please the in app FAQ about weak hashes

Any idea why the default OpenVPN config no longer works?

You use to weak hash, must be sha256

 

[automaton]

You use to weak hash, must be sha256

Hi,

I didn't do anything other than turn on OpenVPN in Merlin. So I don't know how to configure that, or why I need to do more than just enable VPN in Merlin?

 

[octopus]

Hi,

I didn't do anything other than turn on OpenVPN in Merlin. So I don't know how to configure that, or why I need to do more than just enable VPN in Merlin?

You can make your keys yourself or wait for next RMerlin update. Someone have publish a temporary workaround.

 

[wingman1487]

Have the same issue with the OpenVPN app as well, posted over in their Git and was pointed to this workaround in the app that is a temp work around. If anyone knows how we can generate the SHA256 keys in the router do let me know, otherwise I'll be using this workaround for now.

In the OpenVPN Android app, select to edit the profile. select Advanced, scroll down until you see Enable Custom Options and tick the box if it is not already ticked. Now click on Custom options and add the following line

--tls-cipher DEFAULTSECLEVEL=0

Click OK

The angry face emoji in there is supposed to be a : and @

 

[automaton]

Have the same issue with the OpenVPN app as well, posted over in their Git and was pointed to this workaround in the app that is a temp work around. If anyone knows how we can generate the SHA256 keys in the router do let me know, otherwise I'll be using this workaround for now.
The angry face emoji in there is supposed to be a : and @

Thank you, this worked!

It would be nice if the router could generate whatever is needed automatically since I'm not knowledgable enough nor have time to try and figure this stuff out myself atm (kids..). Hopefully it gets fixed soon.

 

[elorimer]

This was discussed last week here: https://www.snbforums.com/threads/openvpn-server-issue.75087/

@RMerlin has redone his fix in the most recent commit.