What's new

Open VPN App No Longer Working

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

David2001

Occasional Visitor
After updating to the latest iOS Open VPN client, I can no longer connect to the server side on the Asus AX86U. I think the iOS client has updated to the newest open VPN version while the Asus Merlin server implementation is out of spec at this point. Is there a fix coming?
 

Attachments

  • IMG_2718.jpeg
    IMG_2718.jpeg
    60.2 KB · Views: 57
To add more details. I believe what is happening is that iOS client is now using Open SSL 3.0.8 while Asus Merlin’s implementation still issues 1.1.1
 
After updating to the latest iOS Open VPN client, I can no longer connect to the server side on the Asus AX86U. I think the iOS client has updated to the newest open VPN version while the Asus Merlin server implementation is out of spec at this point. Is there a fix coming?
The problem is not due to the OpenSSL (or OpenVPN) software. The cause of the error & the solution are spelled out in your screenshot.

----------------------------------------------------
"Error message: you are using insecure hash algorithm in CA signature. Please regenerate CA with other hash algorithm."
----------------------------------------------------

IOW, when you generated your current OpenVPN CA certificate, the signature hash algorithm that was used is no longer supported by the updated OpenVPN client s/w (likely because that hash algorithm is now deprecated), so you must now regenerate your CA certificate using the "Renew" button on the router's webGUI and then export the new client configuration file.

After the CA certificate has been regenerated, you can check what the signature hash algorithm is with the following command (via an SSH terminal session):
Bash:
openssl x509 -noout -text -in "/jffs/openvpn/vpn_crt_server1_ca" | grep "Signature Algorithm"
It should be "sha256WithRSAEncryption" instead of whatever you had before (you can check what signature you have now by using the same command above, if you want to compare them).
 
Last edited:
Ok that worked. Thanks!
*I at first just re-exported the certificate. Didn’t think I needed to recreate it from some reason.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top