I'm a noob using OpenWRT and LEDE projects and I have a question about the openvpn client configuration using Luci.
My router is a TP-Link TL-WR841N v11 (no more than 4Mb flash) and I have installed the following release of LEDE : 17.01-SNAPSHOT r3218-bf53a83
I would like to configure an openVPN client using my 'SecurityKiss' VPN account.
All is clear for me about the configuration options but the VPN connection don't work probably because the SecurityKiss certificates are RSA-1024 certificates and mbedtls refuse those for security reasons. mbedtls requires at least RSA-2048 certificates (source : https://bugs.lede-project.org/index.php?do=details&task_id=405)
Here is my system log part about this :
Tue Oct 10 18:11:37 2017 daemon.notice openvpn(security_kiss)[1498]: TLS: Initial packet from [AF_INET]91.121.103.225:5353, sid=1b5928a4 8bcd9ff3
Tue Oct 10 18:11:38 2017 daemon.notice openvpn(security_kiss)[1498]: VERIFY OK: depth=1, C=IE, ST=IE, L=Dublin, O=GL, CN=GL CA
Tue Oct 10 18:11:38 2017 daemon.err openvpn(security_kiss)[1498]: VERIFY ERROR: depth=0, subject=C=IE, ST=IE, L=Dublin, O=GL, CN=server: The certificate is signed with an unacceptable key (eg bad curve, RSA too short).
Tue Oct 10 18:11:38 2017 daemon.err openvpn(security_kiss)[1498]: TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
Tue Oct 10 18:11:38 2017 daemon.err openvpn(security_kiss)[1498]: TLS Error: TLS object -> incoming plaintext read error
Tue Oct 10 18:11:38 2017 daemon.err openvpn(security_kiss)[1498]: TLS Error: TLS handshake failed
Is there a solution to this problem ? e.g. using openvpn-openssl instead of openvpn-mbedtls ?
Thanks in advance for your help.
Thanks for your reply but I have no idea how to install and use openvpn-openssl instead of openvpn-mbedtls :-/
Also, I do not know if there is enough free flash space for this on my router.
Is there a tutorial or can someone help me with a procedure ?
OK I understand.
And so I guess I have to reinstall the firmware if I want to recover openvpn functionality ?
And after that, Is there really a way to replace the openvpn-mbedtls package by the openvpn-openssl package in order to use a RSA-1024 certificate, considering that my router only has 4MB flash ?
I am aware that RSA-1024 is not a good encryption choice but in a first time, I do not really have the choice.
For my specific usage, it is not very critical to have strong encryption.