Hello,
we have problems establishing an Open-VPN connection with several RUT950 and RUT956 devices since the last firmware updates.
The vpn connections were working before the firmware updates. If we now try to configure a new connection we receive the error message „Client key is encrypted, please enter decryption password“. The client key is definitely not decrypted by a password.
For the RUT950 running with 07.06.11 we found a workaround by using the extra options
cert /etc/vuci-uploads/cbid.openvpn…(correct file name of the client certificate)
key /etc/vuci-uploads/cbid.openvpn…((correct file name of the client key)
Unfortunately this workaround is not working for the RUT956 devices running on 07.07.
The log shows:
Wed May 15 17:05:22 2024 daemon.warn openvpn(emsys)[25696]: DEPRECATED OPTION: --cipher set to ‘AES-256-GCM’ but missing in --data-ciphers (AES-256-CBC). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-GCM’ to --data-ciphers or change --cipher ‘AES-256-GCM’ to --data-ciphers-fallback ‘AES-256-GCM’ to silence this warning.
Wed May 15 17:05:22 2024 daemon.notice openvpn(emsys)[25696]: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed May 15 17:05:22 2024 daemon.notice openvpn(emsys)[25696]: library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
Wed May 15 17:05:22 2024 daemon.warn openvpn(emsys)[25696]: WARNING: No server certificate verification method has been enabled. See How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN for more info.
Wed May 15 17:05:22 2024 daemon.warn openvpn(emsys)[25696]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed May 15 17:05:23 2024 daemon.err openvpn(emsys)[25696]: OpenSSL: error:80000002:lib(2)::reason(2)
Wed May 15 17:05:23 2024 daemon.err openvpn(emsys)[25696]: OpenSSL: error:10000080:lib(32)::reason(128)
Wed May 15 17:05:23 2024 daemon.err openvpn(emsys)[25696]: OpenSSL: error:0A080002:lib(20)::reason(524290)
Wed May 15 17:05:23 2024 daemon.err openvpn(emsys)[25696]: Cannot load certificate file /etc/vuci-uploads/cbid.openvpn.emsys.certFMB_SED_WAL.crt
Wed May 15 17:05:23 2024 daemon.notice openvpn(emsys)[25696]: Exiting due to fatal error
If we do not use the extra options mentioned above, the connection is also not working and the log shows only:
Wed May 15 14:37:43 2024 daemon.warn openvpn(emsys)[15496]: DEPRECATED OPTION: --cipher set to ‘AES-256-GCM’ but missing in --data-ciphers (AES-256-CBC). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-GCM’ to --data-ciphers or change --cipher ‘AES-256-GCM’ to --data-ciphers-fallback ‘AES-256-GCM’ to silence this warning.
Wed May 15 14:37:43 2024 daemon.err openvpn(emsys)[15496]: Options error: If you use one of --cert or --key, you must use them both
Wed May 15 14:37:43 2024 daemon.warn openvpn(emsys)[15496]: Use --help for more information.
Please fix this issue in the next firmware version!
Any ideas for a workaround in the meanwhile?
Thx
Jacob