DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Vigor 2862, OpenVPN Dial-In with standard OpenVPN client fails.

  • service_bb
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
14 Sep 2023 15:50 #102831 by service_bb
I've managed to configure this without issues to a Vigor 2865 as long as I also include -
data-ciphers 'AES-256-CBC'
data-ciphers-fallback 'AES-256-CBC'
In the generated OVPN file.

Unfortunately on the 2862 (fw 3.9.9.2) I always see -
Thu Sep 14 15:29:26 2023 OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled:
Thu Sep 14 15:29:26 2023 TLS_ERROR: BIO read tls_read_plaintext error
Thu Sep 14 15:29:26 2023 TLS Error: TLS object -> incoming plaintext read error
Thu Sep 14 15:29:26 2023 TLS Error: TLS handshake failed

I can successfully connect if I use the OpenVPN 2.4.8 but this is close to 4 years old. Would hazard a guess this is because the 2862 is still on the older v3 fw branch where the others are now on v4?

Has anyone managed to connect to a Vigor 2862 just using the normal OpenVPN client recently?

Please Log in or Create an account to join the conversation.

  • service_bb
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
25 Sep 2023 10:23 #102882 by service_bb
Further to this, have now determined that if we leave the OVPN connection open, the router tends to crash overnight. Suspect a memory leak.

Please Log in or Create an account to join the conversation.

More
10 Dec 2023 17:02 #103035 by sihy
I have a similar problem, the latest iOS OpenVPN client will no longer connect to the Vigor 2862 OpenVpn server, the same error is given in the client's log 'unsafe legacy renegotiation disabled'.

The reason for these errors is the OpenSSL library used in compiling the clients. OpenSSL have decided that legacy renegotiation of keys is a security risk and that enough time has elapsed (the threat has been there for many years) such that this is now disabled by default.

Presumably Draytek (in FW 3 at least, I'm running the latest 3992) are using old OpenSSL libraries and so now all clients using up-to-date OpenSSL libraries will fail to connect (presumably unless compiled with the option to reduce their security level, try getting a 3rd party to do that)!

As an aside, I've read that OpenVPN are no longer supporting compression in v3.4 going forward either, so presumably connections will also fail if the server insists on compression.

In short, unless Draytek will update the firmware and use the modern OpenSSL libraries and a contemporary OpenVPN server config then these devices will no longer work will recent clients.

I'm now forced to install and configure an OpenVPN server on another device on the network, I must admit this has put me off Draytek, I probably won't get another Draytek device unless this issue is addressed fairly quickly. They really should be using libraries that are at least younger than 3 years old and be keeping an eye on developments in server software, it is a network security device after all.

Please Log in or Create an account to join the conversation.

More
19 Feb 2024 10:24 #103179 by abilitycn
ffs Draytek.

either dont use OpenVPN on the router or stay on top of it.

Got this issue this morning presumably after the client had updated.

Please Log in or Create an account to join the conversation.

Moderators: Sami