Update to 33555 from 32170 / OpenVPN Server wont start

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
Pdobrien3
DD-WRT User


Joined: 12 Dec 2015
Posts: 103

PostPosted: Sun Nov 12, 2017 16:08    Post subject: Update to 33555 from 32170 / OpenVPN Server wont start Reply with quote
Good morning all,

Here is my syslog error message:

Jan 1 00:00:24 Office_ASUS AC68U daemon.notice openvpn[1121]: OpenVPN 2.4.4 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 20 2017
Jan 1 00:00:24 Office_ASUS AC68U daemon.notice openvpn[1121]: library versions: OpenSSL 1.1.0f 25 May 2017, LZO 2.09
Jan 1 00:00:24 Office_ASUS AC68U daemon.notice openvpn[1438]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
Jan 1 00:00:24 Office_ASUS AC68U daemon.warn openvpn[1438]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Jan 1 00:00:24 Office_ASUS AC68U daemon.warn openvpn[1438]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 1 00:00:24 Office_ASUS AC68U daemon.notice openvpn[1438]: Diffie-Hellman initialized with 1024 bit key
Jan 1 00:00:24 Office_ASUS AC68U daemon.err openvpn[1438]: OpenSSL: error:140AB18E:lib(20):func(171):reason(398)
Jan 1 00:00:24 Office_ASUS AC68U daemon.err openvpn[1438]: Cannot load certificate file /tmp/openvpn/cert.pem
Jan 1 00:00:24 Office_ASUS AC68U daemon.notice openvpn[1438]: Exiting due to fatal error

Any help would be greatly appreciated.

Thanks,
Dan
Sponsor
Pdobrien3
DD-WRT User


Joined: 12 Dec 2015
Posts: 103

PostPosted: Sun Nov 12, 2017 20:25    Post subject: Reply with quote
Ok,

So I added this:

tls-cipher "DEFAULT:@SECLEVEL=0"

to at least get things running again. Best I can tell, there have been upgrades to OpenVPN requiring new certs. I have searched the intranet all day looking for how to create new certs that will work. Any assistance would be greatly appreciated.

Thanks,
Dan
tedm
DD-WRT User


Joined: 13 Mar 2009
Posts: 281

PostPosted: Sun Nov 12, 2017 21:55    Post subject: Reply with quote
Did you do a reset to clear out your nvram first?

I've seen this sort of thing with openvpn before. It's always best to update ALL dd-wrt routers involved in an openVPN vpn at the same time, then wipe all of them and regenerate new certs and set them all up again.

This isn't a dd-wrt issue, this is an openvpn issue. Backwards compatibility on certs isn't very high on the importance list for the openvpn developers.
Pdobrien3
DD-WRT User


Joined: 12 Dec 2015
Posts: 103

PostPosted: Sun Nov 12, 2017 23:37    Post subject: Reply with quote
tedm wrote:
Did you do a reset to clear out your nvram first?


yes

tedm wrote:
I've seen this sort of thing with openvpn before. It's always best to update ALL dd-wrt routers involved in an openVPN vpn at the same time, then wipe all of them and regenerate new certs and set them all up again.


Correct, that is exactly what I am trying to do. Apparently md5 certificates are outdated and new OpenVPN part of DD-WRT requires SHA values. I am just guessing on this. Figuring out how to create the new certificates with SHA instead of MD5 is exactly what I am looking for assistance with.

tedm wrote:
This isn't a dd-wrt issue, this is an openvpn issue. Backwards compatibility on certs isn't very high on the importance list for the openvpn developers.


right...just trying to update my router Wink
Pdobrien3
DD-WRT User


Joined: 12 Dec 2015
Posts: 103

PostPosted: Mon Nov 13, 2017 2:37    Post subject: Reply with quote
I got it working......thanks.
tedm
DD-WRT User


Joined: 13 Mar 2009
Posts: 281

PostPosted: Mon Nov 13, 2017 9:15    Post subject: Reply with quote
Yeah I think the last time anyone updated the OpenVPN wiki for dd-wrt was about 6 years ago. I'll add a link to this thread to the OpenVPN wiki so if you have usable notes go ahead and post them here.
Pdobrien3
DD-WRT User


Joined: 12 Dec 2015
Posts: 103

PostPosted: Mon Nov 13, 2017 11:04    Post subject: Reply with quote
Quoting a post from Mrjcd:

“If using old keys made with md5 security it will not work on newer dd-wrt builds.
Must have keys generated with RSAsecurity -- requirement of the newer openSSL dd-wrt uses since build r33006.

This will show as error in log and the ovpn server will not startup!!!!”

I am not sure if this was my issue but here is how I fixed it:

Adding tls-cipher "default:@seclevel=0" in the additional config box of services/vpn got everything working again with the old certificates/settings. My research showed that this was just a work-around though and not a safe alternative.

From there, I downloaded and installed the newest OpenVPN exec for Windows. I noticed it added a new file in the easy-ras file titled OpenSSL-1.0.0.cnf. From there, I used the OpenVPN instructions for generating keys/cents found here:

https://openvpn.net/index.php/open-source/documentation/howto.html#pki

I used server side settings from here:

http://www.outoftolerance.com/2016/09/25/hardened-openvpn-with-dd-wrt/

Although I used “system up” and disabled “redirect default gateway”

I also didn’t notice and box to install “OpenSSL Utilities” during the OpenVPN install.

From there, I followed the good ole:
https://www.dd-wrt.com/wiki/index.php/VPN_(the_easy_way)_v24%2B, to know where to paste everything generated during the easy-rsa steps.

Worth noting that I had a working OpenVPN server in DD-WRT prior to the firmware upgrade so it was mostly just upgrading my certificates and server side settings.

Thanks,
Dan
tedm
DD-WRT User


Joined: 13 Mar 2009
Posts: 281

PostPosted: Wed Nov 15, 2017 5:02    Post subject: Reply with quote
Good work and thanks!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum