Solved OpenVPN server issue

[doczenith1]

Well for whatever reason I am still able to connect to my ovpn server after updating the OpenVPN for Android app. I was getting ready to apply the work around but thought I'd try to connect first and it just connected.

 

[fallenoracle]

Anyone know if Merlin or Asus have any plans soon to update this certificate issue?

 

[L&LD]

At least @doczenith1 doesn't have any issues.

RMerlin nor Asus need to do anything if it works as expected.

Your network setup is suspect. That is where you need to turn the investigation to.

 

[fallenoracle]

I'm confused. How would my network setup be suspect if I have no control over what is built into the router in signing the certificate aside from a tedious process that defeats the purpose of such feature? I'm also clearly not the only one having the issue. And why are we signing certificates with such an outdated method?

 

[L&LD]

You don't need control (necessarily) for your network, specifically, to be in question.

Your router, your client device(s), your choice of firmware and/or VPN providers, and any and all combinations thereof, are the culprit, today.

I can't see how this is something that Asus or RMerlin can successfully attack, today.

 

[fallenoracle]

I guess without knowing more about the back end I'm not sure how complicated it really is. Just in reading this article this is something that should have been fixed some time ago, obviously by Asus.

I'm using the latest Merlin firmware and the devices using the router VPN server are definitely not old, less than a year.

MD5 Signature Algorithm Support | OpenVPN

It has been known for a very long time (since 2005 or so) that using MD5 as an algorithm for signing a certificate is a bad idea. Here's why.

openvpn.net

 

[elorimer]

Your router, your client device(s), your choice of firmware and/or VPN providers, and any and all combinations thereof, are the culprit, today.

Stop. This is an issue --a very specific and repeatable issue--connecting to an Asus router running Merlin from something running on Android because the AsusMerlin firmware is encoding a cert with SHA1. One fix is for that something not to be so sensitive, and that's been figured out, the other is exploring whether the cert can/should be encoded with something else. This isn't something swanning around, and no VPN provider in the mix.

 

[elorimer]

ell for whatever reason I am still able to connect to my ovpn server after updating the OpenVPN for Android app. I was getting ready to apply the work around but thought I'd try to connect first and it just connected.

I updated, had no problem, and then updated again and had this exact problem, which went away with the exact workaround.

 

[RMerlin]

I updated, had no problem, and then updated again and had this exact problem, which went away with the exact workaround.

How did you create your certificates? Because mines have a SHA256 signatures here...

admin@stargate88ax:/jffs/openvpn# openssl x509 -in vpn_crt_server1_crt -noout -text | grep Signature
        Signature Algorithm: sha256WithRSAEncryption
                Digital Signature, Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption

In fact, I "fixed" that 5 years ago.

commit 2e150ce55828638fb2fb474468e01c73fdfbd6cb
Author: Eric Sauvageau <rmerl@lostrealm.ca>
Date:   Fri Dec 23 12:22:55 2016 -0500

    openvpn: Use sha256 for key/certs generated by Easy-RSA (used by key/certs auto-generated by the firmware)

EDIT: it's a regression. I fixed that 5 years ago, but when I replaced my patched easy-rsa with Asus' own, my fix got lost.

 

[fallenoracle]

How did you create your certificates? Because mines have a SHA256 signatures here...

admin@stargate88ax:/jffs/openvpn# openssl x509 -in vpn_crt_server1_crt -noout -text | grep Signature
        Signature Algorithm: sha256WithRSAEncryption
                Digital Signature, Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption

In fact, I "fixed" that 5 years ago.

commit 2e150ce55828638fb2fb474468e01c73fdfbd6cb
Author: Eric Sauvageau <rmerl@lostrealm.ca>
Date:   Fri Dec 23 12:22:55 2016 -0500

    openvpn: Use sha256 for key/certs generated by Easy-RSA (used by key/certs auto-generated by the firmware)

Interesting. For me all I did originally is setup the VPN server with the defaults, worked fine up until yesterday with the update to OpenVPN for Android. I've since reset etc and it's still doing the same thing unless I put the work around in.

 

[RMerlin]

Interesting. For me all I did originally is setup the VPN server with the defaults, worked fine up until yesterday with the update to OpenVPN for Android. I've since reset etc and it's still doing the same thing unless I put the work around in.

See my updated post. I fixed that 5 years ago, but when I merged Asus's upstream code with the big 386 merge, the change got lost. So certs generated under 384 used SHA256, but since 386.1 they were generated with SHA1.

 

[fallenoracle]

Okay whew. Thanks for getting on here and checking!

 

[john9527]

Just for anyone wondering....I didn't pick up the Easy-RSA code change on my LTS fork. Checked and the server certs are
Signature Algorithm: sha256WithRSAEncryption

 

[mister]

Did you make the change to *both* the server and client configs?

I only made it on the app. I added it to the servers and now the workaround is working. Thanks a lot for your support.
In principle I will try to harden the encryption as it is recommend. I will take a look on that.....

 

[mister]

See my updated post. I fixed that 5 years ago, but when I merged Asus's upstream code with the big 386 merge, the change got lost. So certs generated under 384 used SHA256, but since 386.1 they were generated with SHA1.

Thanks a lot Merlin for your explanation.
For me it seems, that we are currently save even with the sha1 encryption. You said, that you changed it in the old firmware version. So will you do that fix in the next version of your current - very excellent - firmware as well ? And if so , what would be the consequences for me ? Just delete the OpenVPN Servers via setting it on standard configuration and setup them again ?

Thanks a lot for your support.

Hugo.

 

[RMerlin]

Yes, I will reapply the fix for a future release. People would need to regenerate keys and certificates if they want to switch to SHA256 signatures and they were using certs generated with 386.x or with the stock firmware.

SHA1 signatures are not a real security concern in this case.

 

[mister]

Yes, I will reapply the fix for a future release. People would need to regenerate keys and certificates if they want to switch to SHA256 signatures and they were using certs generated with 386.x or with the stock firmware.

SHA1 signatures are not a real security concern in this case.

Hi Merlin,
thanks a lot for your quick reply and your explanation . As I said, I appreciate your work and support very much. When the next Merlin firmware will be released, I setup my both OpenVPN Servers again , as I did it in the past via webui and export the .ovpn files. If I understood you right, I will then automatically get the sha256 encrypted certificates.

Thanks a lot again.

Hugo

 

[grifo]

There's been another update to the app (v. 0.7.26) and with it the VPN wouldn't start as the app says it doesn't support the BF-CBC cipher. Worked around by enabling Load OpenSSL legacy provider under the profile configuration Basic tab. This is more likely an app issue.

 

[LilyKim]

Yes, I will reapply the fix for a future release. People would need to regenerate keys and certificates if they want to switch to SHA256 signatures and they were using certs generated with 386.x or with the stock firmware.

SHA1 signatures are not a real security concern in this case.

Thanks for the update, and for saying it isn't a real security concern, which was my biggest worry!

 

[elorimer]

There's been another update to the app (v. 0.7.26) and with it the VPN wouldn't start as the app says it doesn't support the BF-CBC cipher. Worked around by enabling Load OpenSSL legacy provider under the profile configuration Basic tab. This is more likely an app issue.

This has been such a stable app for years, much better than the official app, but just at the moment is in a strange place. Somewhat ironically the changelog says that it has been revised to improve compatibility with older servers! And we need now to make changes in an area marked "you are on your own here ". (Smiley in original).

Every single config I have is throwing errors with .7.26. With apologies to @L&LD, that includes VPNUnlimited. But now I know how to fix those.