OpenVPN server "weak hash" on Mango

Technical Support for Routers
1

Trying to configure OpenVPN server on Mango to work with OpenVPN for Android (TV) app.
However, when I import the profile and try to connect I get errors (below) and it won’t connect.

Warning: No server certificate verification method has been enabled.
OpenSSL: error:0A00018E:SSL routines:ca md too weak
MGMT: Got unrecognized command>FATAL:Cannot load inline certificate file
OpenSSL reported a certificate with a weak hash
(similar to this post: Meet Brume 2! - #92 by lostdog)

Also importing the same OVPN file in the windows OpenVPN Connect app I get
Error Message: Peer certificate verification failure.

So, just would like to know what is wrong with the OpenVPN server configuration?
Mango is running FW 3.215 which is the latest.

2

OpenVPN on the Mango and other GL.iNet routers uses an older version of the openvpn-openssl package, probably 2.5.3 that you can look up in Admin Panel → APPLICATIONS → Plug-Ins.

OpenVPN for Android uses OpenSSL 3.0 and rejects the older version by default. You can try a workaround by editing that profile in the app:

Go to ADVANCED → Custom Options
Add the line:

tls-cipher “DEFAULT:@SECLEVEL=0”

Save the change and connect again

I had this problem during testing of Brume 2, where the offiicial latest OpenVPN Connect app by openvpn.net with OpenSSL 1.1.1 worked and the latest OpenVPN for Android app did not work. When I used the workaround in the OpenVPN for Android app, then it connected successfully.

Note that OpenSSL 1.1.1 is still on long term support until September 11, 2023, so GL.iNet needs to upgrade their firmware by that date.

I do not work for and I do not have formal association with GL.iNet

3

This has nothing to do with that. This has everything to do with the fact that SHA1 hasn’t been secure to sign certificates for going on about a decade now. (And for some unexplainable reason the script that gl-inet uses to generate the certificates uses SHA1).

I know @wcs2228 won’t see this because reasons, but recommending people to downgrade security settings rather than fixing the underlying problem is, in my opinion, just super poor form.

What you need to do is regenerate the certificates used for the VPN so that it’s actually secure, as opposed to, well, not.

Change the /usr/bin/cert_manager and replace all instances of sha1 with sha256. Then generate new certs.

(paging @alzhao to this thread because it’s going to continue to be a problem until it’s fixed)

1 Like
4

I have notified guys to fix.

5

Thanks for the suggestion, this is a bit beyond what I can do unless there is a step by step how to.

I guess this may be fixed soon with a firmware upgrade now that dev team is aware?

Happy holidays!!

6

This is a more detailed guide but may not have enough info. Are you familiar with using ssh to access the router, either using command prompt or PuTTY (or terminal on a Mac)? That’s the first step, then you’ll need to use a text editor (vi is my editor of choice, but the interface is… Not good)? If you can get into it via ssh, I can write a one line sed command for you that will make the appropriate changes.

7

@alzhao, when do you think there will be fixes released for all the affected GL.iNet routers (maybe all of them)? I checked that all my 5 routers with Firmware 3 and FIrmware 4 are affected.

8

@hansome is on this.

9

Should users stop using OpenVPN server on their routers until after they have fixes?

10

Some VPN is better than no VPN. But you should fix it asap.

11

This has been fixed and will be in next snapshot or beta.

12

Are the fixes for all affected GL.iNet routers?

13

Yes. It will be on 3.216

14

Routers with Firmware 4 are also affected (at least GL-A1300 and GL-MT2500).

15

Yes. The fix is For both 3.x and 4.x firmware.

16

also ich hab auf meinen GL_MV1000 die FW 3.216 und es geht leider nicht
auch wenn ich die anleitung ausführe kann ich danach den Server nicht Starten :frowning:

18

Pls try 4.x firmware for MV1000
https://dl.gl-inet.com/?model=mv1000&type=beta

1 Like
19

Hello alzhao,

I had a VPN running for over 2 years with the same Lan configuration.
Unfortunately, it no longer works at all. I have now tested the MV1000 with the FW 4.0 you linked to me and I can’t log in with my cell phone.

I can try it with the current IP or with the DDNS domain for the log I have changed my IP or DDNS with “IP”
Port forwarding is set on my router, which is how it has worked for the last 2 years

The log it throws me is:
[Feb. 04, 2024, 00:17:05] ----- OpenVPN Start -----
[Feb. 04, 2024, 00:17:05] EVENT: CORE_THREAD_ACTIVE
[Feb. 04, 2024, 00:17:05] OpenVPN core 3.8.4connectX(3.git::c424d46c:RelWithDebInfo) android arm64 64-bit PT_PROXY
[Feb. 04, 2024, 00:17:05] Frame=512/2112/512 mssfix-ctrl=1250
[Feb. 04, 2024, 00:17:05] NOTE: This configuration contains options that were not used:
[Feb. 04, 2024, 00:17:05] Unsupported option (ignored)
[Feb. 04, 2024, 00:17:05] 4 [resolv-retry] [infinite]
[Feb. 04, 2024, 00:17:05] 6 [persist-key]
[Feb. 04, 2024, 00:17:05] 7 [persist-tun]
[Feb. 04, 2024, 00:17:05] 10 [nice] [0]
[Feb. 04, 2024, 00:17:05] 11 [mute] [5]
[Feb. 04, 2024, 00:17:05] EVENT: RESOLVE
[Feb. 04, 2024, 00:17:05] Contacting “IP”:1194 via UDP
[Feb. 04, 2024, 00:17:05] EVENT: WAIT
[Feb. 04, 2024, 00:17:05] Connecting to [“IP”]:1194 (“IP”) via UDP
[Feb. 04, 2024, 00:17:15] Server poll timeout, trying next remote entry…
[Feb. 04, 2024, 00:17:15] EVENT: RECONNECTING
[Feb. 04, 2024, 00:17:15] EVENT: RESOLVE
[Feb. 04, 2024, 00:17:15] Contacting “IP”:1194 via UDP
[Feb. 04, 2024, 00:17:15] EVENT: WAIT
[Feb. 04, 2024, 00:17:15] Connecting to [“IP”]:1194 (“IP”) via UDP
[Feb. 04, 2024, 00:17:25] Server poll timeout, trying next remote entry…
[Feb. 04, 2024, 00:17:25] EVENT: RECONNECTING
[Feb. 04, 2024, 00:17:25] Contacting “IP”:1194 via UDP
[Feb. 04, 2024, 00:17:25] EVENT: RESOLVE
[Feb. 04, 2024, 00:17:25] Connecting to [“IP”]:1194 (“IP”) via UDP
[Feb. 04, 2024, 00:17:25] EVENT: WAIT
[Feb. 04, 2024, 00:17:35] Server poll timeout, trying next remote entry…
[Feb. 04, 2024, 00:17:35] EVENT: RECONNECTING
[Feb. 04, 2024, 00:17:35] Contacting “IP”:1194 via UDP
[Feb. 04, 2024, 00:17:35] EVENT: RESOLVE
[Feb. 04, 2024, 00:17:35] Connecting to [“IP”]:1194 (“IP”) via UDP
[Feb. 04, 2024, 00:17:35] EVENT: WAIT
[Feb. 04, 2024, 00:17:45] Server poll timeout, trying next remote entry…
[Feb. 04, 2024, 00:17:45] EVENT: RECONNECTING
[Feb. 04, 2024, 00:17:45] EVENT: RESOLVE
[Feb. 04, 2024, 00:17:45] Contacting “IP”:1194 via UDP
[Feb. 04, 2024, 00:17:45] EVENT: WAIT
[Feb. 04, 2024, 00:17:45] Connecting to [“IP”]:1194 (“IP”) via UDP

No connection possible :frowning:

20

Is the “IP” your real WAN IP?
So if you go to wieistmeineip.de - will it show the same?

21

ja die IP ist meine WAN IP wenn ich sie überprüfe
Handy ist zur gleichen zeit auch nicht mit dem Wlan verbunden also wirklich von aussen

Wie gesagt vor dem Zertifikat und Update ging alles.hat sich auch verbunden und hab an den Router einstellungen nichts geändert… IP von MV1000 ist auch noch die gleiche aber bekommt keine verbindung mehr.