Reset GL-MT1300 router, now AES-256-CBC problem with OpenVPN

agnelli · January 4, 2022, 7:40am

I reset my GL-MT1300 router by holding the physical reset button for 10 seconds.

After adding my OpenVPN client configurations again to the router, I get the following error when attempting to connect to the VPN from the router web interface:

SIGHUP[soft,connection-reset] received, process restarting

DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.

OpenVPN 2.5.0 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]

library versions: OpenSSL 1.1.1d 10 Sep 2019

Restart pause, 2 second(s)

The router firmware is version 3.203.

The OpenVPN client .ovpn file is valid, I can connect from my computer level instead of the router level.

Any advice would be appreciated.

alzhao · January 4, 2022, 10:49am

It may not related to cipher.

Does your vpn allow multiple connections? Can you check if you are connecting from multiple devices.

agnelli · January 4, 2022, 2:19pm

From the VPN, on the OpenVPN Access Server, I see:

Allowed VPN Connections: 2 VPN Connections
Current Active Users: 0

I can connect with OpenVPN client software on my laptop so that Current Active Users is increased to 1, but again not at the router level.

agnelli · January 4, 2022, 5:50pm

Please see above response.

wcs2228 · January 5, 2022, 3:34am

It says only a warning. I get the same message in system log and OpenVpn still works.

agnelli · January 5, 2022, 6:33am

I’ve tried the following, documented here: Error with .ovpnf file on router: cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM) - OpenVPN Support Forum

Since the issue only surfaced after resetting my GL-MT1300 router, I tend to think the issue may be related to the router itself. As I can connect with the .ovpn file using my computer. Does the router lack AES-256-CBC for some reason?

agnelli · January 5, 2022, 6:43am

Should I try upgrading packages on the router? Which?

agnelli · January 5, 2022, 6:46am

For example, how can I upgrade the package

openvpn-openssl 2.5.0-1

on my router? I would like to match my server version now, of v2.10.0.

alzhao · January 5, 2022, 7:06am

Upgrading openvpn version is difficult on the router.

Is this your own vpn server?

agnelli · January 5, 2022, 7:23am

Yes, the OpenVPN server is my own that I have setup on Google Cloud.

This is good in that I have control over it, yet perhaps more difficult for debugging as I may have set something up incorrectly on it However, the server (ie, VPN connection to the server) does work when I use an OpenVPN client on my laptop with the .ovpn client file generated by the server.

Therefore, I think the problem has more to do with the router itself and the environment of the router.

alzhao · January 5, 2022, 7:25am

Pls note, openvpn is very complicated and have a lot of parameters.

Windows version also differ from Linux version in parameters. PC (both windows and linux) support much more comprehensive settings than the router.

So you may want to adjust the parameters and try again.

agnelli · January 6, 2022, 8:36am

I setup another OpenVPN Access Server on a different cloud platform, this time on the platform Vultr using their ‘One Click’ service.

This gave me a .ovpn file that works from my computer, but not from my GL-MT1300 router. When trying to connect with the file from my router I get the error:

SIGHUP[soft,tls-error] received, process restarting

DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.

OpenVPN 2.5.0 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]

library versions: OpenSSL 1.1.1d 10 Sep 2019

This is much the same error that was seen with the Google Cloud OpenVPN server. However, please note that the Vultr OpenVPN Access Server is from a ‘One Click’ installation: the .ovpn file should be adequate. It works from my computer…

Recent logs from my router can be found in this thread: https://forums.openvpn.net/viewtopic.php?f=24&t=33536&p=104147#p104147

From the router logs that I can see from the LUCI panel, which I have pasted in that thread on openvpn.net, the following stands out:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

alzhao · January 6, 2022, 9:39am

Can you pm me a working config so that I can try?

agnelli · January 6, 2022, 9:48am

I have sent the config over a private message.

agnelli · August 19, 2022, 5:55pm

To resolve the issue publicly, upgrading the rotuer’s software seemed to fix the problem.