Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1
    Untangler
    Join Date
    Apr 2017
    Posts
    53

    Default OpenVPN 2.4.7 will not Connect - ns-cert-type is DEPRECATED.

    Good Afternoon - I have several clients that use OpenVPN 2.4.0 successfully. Today I set up 2 new users, installed the software, 2.4.7 and they receive the following error when trying to connect. Do I need to change something for these users? Is there any reason why they can't use version 2.4.0? Thank you, in advance for your help.

    OpenVPNError_LI.jpg

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,767

    Default

    This is what happens when the OpenVPN server needs to be ripped out and replaced because it's running an MD5 certificate, and is hilariously insecure.

    https://support.untangle.com/hc/en-u...tificate-Error

    It's time to nuke and pave the OpenVPN module. Your only other choice is to manually download and attempt to use older OpenVPN clients, but those clients are no longer compatible with Windows 10 the last I looked.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    Apr 2017
    Posts
    53

    Default

    Thank you for your response. I have the older client and that is working for the previous users even on Windows 10. How can I use the older client for the new users?

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,767

    Default

    Quote Originally Posted by ABerndt View Post
    Thank you for your response. I have the older client and that is working for the previous users even on Windows 10. How can I use the older client for the new users?
    You have to get the older version from OpenVPN.net and install it manually, I do NOT recommend it. The correct course forward is to nuke and pave the OpenVPN module. MD5 certificates are now all but trivial to crack.

    But, if you insist on being unsafe... a full list of builds can be found here: https://build.openvpn.net/downloads/releases/

    Which makes the most recent 2.4.0 Windows installer right here: https://build.openvpn.net/downloads/...2.4.0-I602.exe

    Alternately, you can add this:
    Code:
    tls-cipher "DEFAULT:@SECLEVEL=0
    to the client's configuration file, it will instruct the client to ignore the certificate warnings and connect anyway, even with a current version of the client. You can add this to the client tab in OpenVPN if you want this to continue working for all clients going forward. But, again... this is a horrible idea for long term use. Use it as a bandaid if you must, but plan to nuke that module ASAP.
    Last edited by sky-knight; 12-04-2019 at 08:01 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Apr 2017
    Posts
    53

    Default

    Thank you. I am only looking at this as a possible temporary solution. If I were to uninstall and reinstall OpenVPN on my Untangle, how would that affect my site-to-site tunnel? I'm more concerned about that than my remote users . OpenVPN is a convenience for them, the site-to-site tunnel is essential to our business!

  6. #6
    Untangler
    Join Date
    Apr 2017
    Posts
    53

    Default

    I appreciate your help. I am actually thinking that I will add that line to the client configuration but when I look at that tab, this is what I see.
    OpenVPNClientConfig.JPG

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,767

    Default

    The site-to-site tunnel works on the same tech, so that will need to be rebuilt too. So when you nuke the module that tunnel is gone too, you'll need to nuke the module on the far side and deploy a new client to it, to bring it back.

    So don't do this without access to the admin UIs in both places!

    That bit is pretty quick honestly, and could be done during a lunch break or something easily. But redistributing all the soft clients is usually the pain point.

    The client section you need, is at the bottom of the advanced tab.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangler
    Join Date
    Apr 2017
    Posts
    53

    Default

    Thank you for confirming...I kind of figured that. I should have started this project before the Thanksgiving Holiday Oh, well.

    When I add the entry to the Client Configuration area, I should enter 'Option Name' as tls-cipher and 'Option Value' as '"DEFAULT:@SECLEVEL=0' including the quotation mark in the front?

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,767

    Default

    You don't need the quotes, but otherwise yes your adaptation is correct.

    When you generate the client, extract it... and open the .ovpn file with notepad. You should see the text I suggested clearly in the file as I indicated it. That way you know you've got it right.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangler
    Join Date
    Apr 2017
    Posts
    53

    Default

    I do see that. I will install the client on my laptop and test it later when I am outside of my network. I really do appreciate your help.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2