VPN Not connecting after upgrade to RT-AC86U_384.10

[mrf0ster]

Hi all, once I upgraded, I am no longer able to connect to my VPN Provider.

I get the following error message continually repeating. Work perfectly with RT-AC86U_384.9_0

Is there somrthing additional I should be doing after the upgrade?

Cheers Mark

Mar 25 21:38:11 rc_service: httpd 762:notify_rc start_vpnclient1
Mar 25 21:38:11 kernel: tun: Universal TUN/TAP device driver, 1.6
Mar 25 21:38:11 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Mar 25 21:38:11 ovpn-client1[1807]: OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 24 2019
Mar 25 21:38:11 ovpn-client1[1807]: library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.08
Mar 25 21:38:11 ovpn-client1[1809]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mar 25 21:38:11 ovpn-client1[1809]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 25 21:38:11 ovpn-client1[1809]: TCP/UDP: Preserving recently used remote address: [AF_INET]172.94.103.2:53
Mar 25 21:38:11 ovpn-client1[1809]: UDP link local: (not bound)
Mar 25 21:38:11 ovpn-client1[1809]: UDP link remote: [AF_INET]172.94.103.2:53
Mar 25 21:38:11 ovpn-client1[1809]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mar 25 21:38:11 ovpn-client1[1809]: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
Mar 25 21:38:11 ovpn-client1[1809]: OpenSSL: error:1416F086:lib(20):func(367):reason(134)
Mar 25 21:38:11 ovpn-client1[1809]: TLS_ERROR: BIO read tls_read_plaintext error
Mar 25 21:38:11 ovpn-client1[1809]: TLS Error: TLS object -> incoming plaintext read error
Mar 25 21:38:11 ovpn-client1[1809]: TLS Error: TLS handshake failed
Mar 25 21:38:11 ovpn-client1[1809]: SIGUSR1[soft,tls-error] received, process restarting

 

[RMerlin]

CA signature digest algorithm too weak:

Check if they have a newer config or certificate, looks like the certificate you use is too weak.

 

[tdouce]

I'm also having this problem. I use Torguard and applied a newly generated ovpn including certificates from them. Same result.

 

[RMerlin]

Post a CA so can check what digest they use.

 

[tdouce]

Post a CA so can check what digest they use.

For a company supposed to provide a security service to use a known weak digest should raise some alarm flags...

Sent from my Nexus 5X using Tapatalk

 

[tdouce]

Update... I have it working now.
I notice that I was not getting log updates so I tried a soft reboot (click reboot in the GUI). It appeared to work, i.e., went through the count but did not actually reboot. Performed hard reboot (power off / on) and retried the VPN... failed first go-through but identified that it required TLS 1.2 or >.
Applied the Torguard ovpn with TLS 1.2 and bingo.

Also note: I upgraded directly from 384.8_2 to .10 and found that I had to do a factory reset and reload the config as well as touch up some of the settings.

Thanks again for your excellent work and tireless effort RMerlin

 

[RMerlin]

Good.

@mrf0ster , can you post the content of your CA field? Also check if provider has a newer config file.

 

[mrf0ster]

Heya Merlin, once home I will upload CA and also check with my provider if they have a more current one.

One other strange thing I noticed when playing around last night, was once I did do a GUI reboot after uploading the firmware and changing all the settings etc, the count up % went up to 200.

Appreciate the assistance and I will keep you appraised of my findings tonight.

Cheers Mark

 

[mrf0ster]

Good.

@mrf0ster , can you post the content of your CA field? Also check if provider has a newer config file.

Absolutely correct Merlin. New Cert obtained from provider and now all working well.

Thank you so much for your support!

Cheers Mark

 

[RMerlin]

Absolutely correct Merlin. New Cert obtained from provider and now all working well.

Thank you so much for your support!

Cheers Mark

Do you still have the old CA? I'd like to see which digest they used.

 

[mrf0ster]

Do you still have the old CA? I'd like to see which digest they used.

Here you go mate. The newer version is two lines longer when opened in notepad++, so I'm guessing its a little more secure?

Cheers Mark

 

[RMerlin]

Here you go mate. The newer version is two lines longer when opened in notepad++, so I'm guessing its a little more secure?

Cheers Mark

Here's the issue with that old cert:

Signature Algorithm: sha1WithRSAEncryption

The use of SHA1 certificate signing was deprecated a few years ago as collisions were found for SHA1. Public certificates were forced to migrate to SHA2 back then, and operating systems are gradually starting to enforce it.

If you want to examine a certificate, from your router or any Linux system:

openssl x509 -in filename.crt -noout -text

filename.crt contains your certificate.

 

[RMerlin]

OpenSSL 1.1.1 is the one enforcing the use of a stronger digest BTW, not OpenVPN itself.

 

[mrf0ster]

Here's the issue with that old cert:

Signature Algorithm: sha1WithRSAEncryption

The use of SHA1 certificate signing was deprecated a few years ago as collisions were found for SHA1. Public certificates were forced to migrate to SHA2 back then, and operating systems are gradually starting to enforce it.

If you want to examine a certificate, from your router or any Linux system:

openssl x509 -in filename.crt -noout -text

filename.crt contains your certificate.

Ah interesting, that's a bit slack of them isn't it!

Thanks again for your assistance, its very much appreciated!

Cheers Mark

 

[Xentrk]

Here you go mate. The newer version is two lines longer when opened in notepad++, so I'm guessing its a little more secure?

Cheers Mark

I am a TorGuard customer and checked the CA-Certificate you posted with the one on their website and what I had stored on my local TorGuard folder last year. They are the same. Appears you had been using an old CA-certificate for awhile.

 

[mrf0ster]

I am a TorGuard customer and checked the CA-Certificate you posted with the one on their website and what I had stored on my local TorGuard folder last year. They are the same. Appears you had been using an old CA-certificate for awhile.

Yeah man it seems that way. I asked them for a updated CA cert and they provided one for me. A little disappointed they still have the old outdated cert available on there website as setup files.

Thanks to Merlin I learnt something.

Cheers Mark

 

[Makaveli]

I've just noticed i'm running into this same issue Tonight after my VPN tunnel dropped and being unable to reconnect.

Dec 16 22:26:08 ovpn-client1[27743]: OpenSSL: error:1416F086:lib(20):func(367):reason(134)
Dec 16 22:26:08 ovpn-client1[27743]: TLS_ERROR: BIO read tls_read_plaintext error
Dec 16 22:26:08 ovpn-client1[27743]: TLS Error: TLS object -> incoming plaintext read error
Dec 16 22:26:08 ovpn-client1[27743]: TLS Error: TLS handshake failed
Dec 16 22:26:08 ovpn-client1[27743]: SIGUSR1[soft,tls-error] received, process restarting
Dec 16 22:26:08 ovpn-client1[27743]: Restart pause, 40 second(s)

I've deleted and reimported a new config file with no success.

This looks to be the issue.

Dec 16 22:26:48 ovpn-client1[27743]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.

 

[Makaveli]

*bump*

Does anyone know where the router stores the CA file?

I've checked these others threads and so far no go.

https://www.snbforums.com/threads/these-vpn-services-can-easily-be-hacked.48315/page-2#post-424264

https://www.snbforums.com/threads/cant-get-openvpn-using-expressvpn-to-run-on-rt-ac86u.48599/

*Update*

I was able to fix the issue.

There was some weird stuff going on with the Certs.

So I first started by purging all the certs then upgrading to pixelserv 2.3.0 then regenerating the certs.

And now everything is working strange one.

 

[wizin]

Torguard

Same issue now - stopped working with _15

ar 8 03:07:18 ovpn-client1[1832]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 8 03:07:18 ovpn-client1[1832]: TLS Error: TLS handshake failed
Mar 8 03:07:18 ovpn-client1[1832]: SIGUSR1[soft,tls-error] received, process restarting
Mar 8 03:07:18 ovpn-client1[1832]: Restart pause, 160 second(s)
Mar 8 03:07:26 ovpn-client2[2533]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 8 03:07:26 ovpn-client2[2533]: TLS Error: TLS handshake failed
Mar 8 03:07:26 ovpn-client2[2533]: SIGUSR1[soft,tls-error] received, process restarting
Mar 8 03:07:26 ovpn-client2[2533]: Restart pause, 160 second(s)

Certs are same, but I reapplied anyway
Same issue

 

[Xentrk]

Torguard

Same issue now - stopped working with _15

ar 8 03:07:18 ovpn-client1[1832]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 8 03:07:18 ovpn-client1[1832]: TLS Error: TLS handshake failed
Mar 8 03:07:18 ovpn-client1[1832]: SIGUSR1[soft,tls-error] received, process restarting
Mar 8 03:07:18 ovpn-client1[1832]: Restart pause, 160 second(s)
Mar 8 03:07:26 ovpn-client2[2533]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 8 03:07:26 ovpn-client2[2533]: TLS Error: TLS handshake failed
Mar 8 03:07:26 ovpn-client2[2533]: SIGUSR1[soft,tls-error] received, process restarting
Mar 8 03:07:26 ovpn-client2[2533]: Restart pause, 160 second(s)

Certs are same, but I reapplied anyway
Same issue

The first thing I would do is to logon to the TG site and generate a new ovpn.cfg file for the server you are connecting to. Then , upload the config file, enter your credentials and apply. The server host names were updated recently.