OpenVPN on r30082 worked fine-broken on newest build

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2  Next
Author Message
CBR954RR
DD-WRT Novice


Joined: 05 Aug 2013
Posts: 37

PostPosted: Thu Oct 19, 2017 18:29    Post subject: OpenVPN on r30082 worked fine-broken on newest build Reply with quote
I have an Archer C7 v2 running DD-WRT r30082 (7-11-2016) and have OpenVPN setup and running with no apparent issues.

I recently attempted to upgrade to r33525 (10-17-2017) thinking this had a patch to the WIFI KRACK issue. When I installed this newest version, my OpenVPN broke. It was as if I didn't have it setup. I was receiving absolutely nothing from the router when I tried to make a connection.

Someone mentioned here that they thought they read something had changed in OpenVPN in the newer builds and that I needed to make a change to my OpenVPN setup in order to get it to work in the newest build.

Could anyone with any insight on this please chime in and let me know if this is true and what I need to change in order to get OpenVPN working with the most current build of DD-WRT.

Thanks to any and all who can point me in the right direction.
Sponsor
flakie
DD-WRT User


Joined: 23 Sep 2017
Posts: 229
Location: Swindon, UK

PostPosted: Thu Oct 19, 2017 18:34    Post subject: Reply with quote
Could be this:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=311502&start=9

_________________
Router Model: Netgear R8000
Firmware: DD-WRT v3.0-r41813 std (12/29/19)
Modem: Super Hub 3.0
ISP: Virgin Media 350/35 Mbps

mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Thu Oct 19, 2017 18:48    Post subject: Reply with quote
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1098454#1098454
CBR954RR
DD-WRT Novice


Joined: 05 Aug 2013
Posts: 37

PostPosted: Thu Oct 19, 2017 18:48    Post subject: Reply with quote
Quote:
Could be this:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=311502&start=9


flakie,

Thanks for chiming in and the link. I will read through and see if this is what my issue is.

I was poking around in the Advanced Networking section and came across a post with the following info;
"A fairly recent firmware upgrade (33435 or thereabouts) included a new version of OpenSSL. After it is installed you have to create all new certificates."

Sounds like you hit the nail on the head so I will do some reading and then get to creating new certificates and see if that solves my problem.
CBR954RR
DD-WRT Novice


Joined: 05 Aug 2013
Posts: 37

PostPosted: Thu Oct 19, 2017 18:52    Post subject: Reply with quote
Quote:
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1098454#1098454


mrjcd,

Thanks for the link. Looks like you and flakie have put me on the right path as to what my issue is.

Appreciate the quick response from both of you.
weech
DD-WRT Novice


Joined: 11 May 2017
Posts: 20

PostPosted: Fri Oct 20, 2017 3:58    Post subject: Reply with quote
mrjcd answered my post on the New Build thread for r33525, where i went into to some detail about the openvpn issues i was having with the upgrade.

the answer solved my issues, all with one click of a radio button. i am not sure whether your scenario is the same as mine, but i did go into a fair amount of detail. My solution didn't involve updating OpenSSL certs.
anyway, my post is on page 6, with his/her (his, because of mr?) suggestion, following.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=311720
CBR954RR
DD-WRT Novice


Joined: 05 Aug 2013
Posts: 37

PostPosted: Fri Oct 20, 2017 15:02    Post subject: Reply with quote
Quote:
mrjcd answered my post on the New Build thread for r33525, where i went into to some detail about the openvpn issues i was having with the upgrade.

the answer solved my issues, all with one click of a radio button. i am not sure whether your scenario is the same as mine, but i did go into a fair amount of detail. My solution didn't involve updating OpenSSL certs.
anyway, my post is on page 6, with his/her (his, because of mr?) suggestion, following.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=311720


weech,

Thanks for the info and link. Most who have posted have pointed me to the fact that OpenSSL changed just recently in the firmware and it no longer works with md5 certificates, only RSA. (hope I got that last bit correct)

For me, since I am running a DD-WRT firmware from mid 2016 and I believe my certificates were done back in 2015, most likely created using md5 instead of RSA, so I think this is why I need to create new keys to get things working again.

One last thing if you don't mind, this is from the link you gave me and was written by mrjcd.

Quote:
conflict with SFE (Shortcut Forwarding Engine) on main setup page ...prolly enabled by default --conflicts with PBR


Where exactly do I find the SFE (Shortcut Forwarding Engine) and PBR in DD-WRT?

Thanks again for chiming in.[/quote]
flakie
DD-WRT User


Joined: 23 Sep 2017
Posts: 229
Location: Swindon, UK

PostPosted: Fri Oct 20, 2017 15:09    Post subject: Reply with quote
CBR954RR wrote:

weech,

Thanks for the info and link. Most who have posted have pointed me to the fact that OpenSSL changed just recently in the firmware and it no longer works with md5 certificates, only RSA. (hope I got that last bit correct)

For me, since I am running a DD-WRT firmware from mid 2016 and I believe my certificates were done back in 2015, most likely created using md5 instead of RSA, so I think this is why I need to create new keys to get things working again.

One last thing if you don't mind, this is from the link you gave me and was written by mrjcd.

Quote:
conflict with SFE (Shortcut Forwarding Engine) on main setup page ...prolly enabled by default --conflicts with PBR


Where exactly do I find the SFE (Shortcut Forwarding Engine) and PBR in DD-WRT?

Thanks again for chiming in.


The SFE/PBR issue is with the OpenVPN client.
The certificate issue is with OpenVPN server.

SFE is on the Setup/Basic Setup page
PBR is on the Services/VPN page in the OpenVPN client section.

_________________
Router Model: Netgear R8000
Firmware: DD-WRT v3.0-r41813 std (12/29/19)
Modem: Super Hub 3.0
ISP: Virgin Media 350/35 Mbps

CBR954RR
DD-WRT Novice


Joined: 05 Aug 2013
Posts: 37

PostPosted: Fri Oct 20, 2017 15:16    Post subject: Reply with quote
Quote:
The SFE/PBR issue is with the OpenVPN client.
The certificate issue is with OpenVPN server.

SFE is on the Setup/Basic Setup page
PBR is on the Services/VPN page in the OpenVPN client section.


flakie,

Thanks for clearing that up for me.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Fri Oct 20, 2017 15:25    Post subject: Reply with quote
CBR954RR wrote:
Where exactly do I find the SFE (Shortcut Forwarding Engine) and PBR in DD-WRT?


PBR (Policy based routing) is an optional conf in the ovpn client settings.
You should google about how to use it with dd-wrt.

SFE is an option on main setup page. It has nothing to do with ovpn other than cause a conflit w/PBR ... don't know why... never checked into it.
I think it was a new feature after build r33006 ????

SFE enables faster speed across the WAN, yes if using VPN also.
There is much talk about it. Google 'SFE dd-wrt' probably find alot.

Here is a test I run on old broadcom box shows the difference - same principle w/QCA
note this ex. is just a 100Mbps unit to start with.
https://secure.dd-wrt.com/phpBB2/viewtopic.php?p=1094482&sid=c7b7d49a46150effdbfc7db64ec0a9ab#1094482

If your router gets all you pay for from ISP then leave SFE disabled.
Depending on BS build or Kong build ... BS I think SFE is still disabled if you turn on QOS.

I don't use SFE -- don't need it
weech
DD-WRT Novice


Joined: 11 May 2017
Posts: 20

PostPosted: Fri Oct 20, 2017 16:06    Post subject: Reply with quote
yeah, i wasn't sure if you were running a script and/or using PBR, so i thought i would mention it. Smile
CBR954RR
DD-WRT Novice


Joined: 05 Aug 2013
Posts: 37

PostPosted: Thu Oct 26, 2017 14:50    Post subject: Reply with quote
Thanks to replies from weech, flakie, and mrjcd, I have been able to fix my OpenVPN connectivity issue by creating new certificates.

Now that I can connect again, I have one more question for those of you in the know about Encryption Cipher, Hash Algorithm, and TLS Cipher.

I currently have the Encryption Cipher set to AES-256-CBC and Hash Algorithm to SHA1.

I can connect and all seems to work fine when I have TLS Cipher set to any of the following:
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-128-CBC-SHA
None

It does not want to connect using;
TLS-DHE-RSA-WITH-AES-128-CBC-SHA

I assume this is because the Encryption Cipher is set at AES-256-CBC but if this is correct, I don't understand why it connects at
TLS-RSA-WITH-AES-128-CBC-SHA

With all the TLS Cipher options that do work, none work if I change the Hash Algorithm to SHA256 or SHA512.

So, with all the above stated, exactly what are the best options to be using for the
Encryption Cipher
Hash Algorithm
TLS Cipher
and why wont the SHA256 and SHA512 options work?

Mind you I don't really know what any of these settings mean or which is best to use so I am looking for clarification.

Thanks to any that can provide me some insight.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Thu Oct 26, 2017 15:26    Post subject: Reply with quote
You're talking about a lot of different things here so I'll just say ---
Good standard to use these days is:
Encryption Cipher = AES-256-CBC
Hash Algorithm = SHA256 ...(SHA1 is longtimeago .. I wouldn't use it)
TLS Cipher = TLS-RSA-WITH-AES-256-GMC-SHA384
CBR954RR
DD-WRT Novice


Joined: 05 Aug 2013
Posts: 37

PostPosted: Thu Oct 26, 2017 15:48    Post subject: Reply with quote
Quote:
You're talking about a lot of different things here so I'll just say ---
Good standard to use these days is:
Encryption Cipher = AES-256-CBC
Hash Algorithm = SHA256 ...(SHA1 is longtimeago .. I wouldn't use it)
TLS Cipher = TLS-RSA-WITH-AES-256-GMC-SHA384


Thanks for the info mrjcd.

Since I can't get a connection if I use a setting of SHA256 or SHA512, can you tell me how I go about making the SHA256 setting work? Is it something to do with creating the certificates?

I am out of my element here but willing to learn.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Thu Oct 26, 2017 15:58    Post subject: Reply with quote
CBR954RR wrote:
Quote:
You're talking about a lot of different things here so I'll just say ---
Good standard to use these days is:
Encryption Cipher = AES-256-CBC
Hash Algorithm = SHA256 ...(SHA1 is longtimeago .. I wouldn't use it)
TLS Cipher = TLS-RSA-WITH-AES-256-GMC-SHA384


Thanks for the info mrjcd.

Since I can't get a connection if I use a setting of SHA256 or SHA512, can you tell me how I go about making the SHA256 setting work? Is it something to do with creating the certificates?

I am out of my element here but willing to learn.


I really don't know if you are talking about the ovpn server or client or both???????

Of course the clients will have to match what the server says ---
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum