Issues connecting to ASUS RT-AC66U with Tunnelblick 3.5.1 and up

[Michael Preissner]

Setting up a VPN server on an ASUS RT-AC66RU. Everything works fine using TB 3.5.0, however, after upgrading to 3.5.1, 3.5.2, or 3.6beta, connection no longer works. Seems to be a problem with TLS negotiation. Anyone else run into this?

[jkbull...gmail.com]

Tunnelblick 3.5.1 replaces OpenSSL version 1.0.1m (in 3.5.0) with version 1.0.1n, and 3.5.2 replaces it with 10.01o) because of security vulnerabilities in 1.0.1m. According to the OpenSSL Security Advisory 11 Jun 2015, one of the changes in 1.0.1n was to  

A vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. This vulnerability is known as Logjam (CVE-2015-4000).

OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. This limit will be increased to 1024 bits in a future release.

Probably you are using keys that are shorter than 768 bits. You should generate new, longer keys. See Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients, which is in the "HOWTO" article in the OpenVPN documentation.

Note that Tunnelblick includes the "easy-rsa" programs (version 2 and 3) used in the HOWTO. To get to them, go to the "Utilities" panel of Tunnelblick's "VPN Details…" window, and click the "Open easy-rsa in Terminal" button.

[mrei...@gmail.com]

For users of the Asus routers with Rmerlin fw : there is an easier way to do this:

See here:

http://www.snbforums.com/threads/asuswrt-merlin-378-54_2-is-now-available.24902/page-12#post-188281

Basically it comes down to this: generate only the DH key and supply that to the router.

Op zondag 14 juni 2015 16:58:52 UTC+2 schreef jkbull...gmail.com: