OpenVPN CA

Discussions for BiPAC 8900 series: 8900AX-1600, 8900AX-2400, 8900X
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan »

nightcustard wrote: Sun Mar 14, 2021 10:44 am Ah yes! Thanks BF - I'd forgotten there is an option to retain current settings. Always wise to make a backup though ;-)
I've applied the firmware update, changed the cipher encryption and HMAC auth from the defaults and renewed the certificate (which did change).
The firmware update process seemed a little odd though - I thought you should see a progress bar after pressing 'Upgrade' but the router's admin page gave no indication the router was undergoing the update other than after a while being replaced by a frowning smiley and the message 'Invalid response'. However, after my blood pressure had increased slightly, normal function was restored and all now appears well.
Strange I tested the firmware here before release and it upgraded correctly with the progress bar,
nightcustard
Posts: 66
Joined: Sat Nov 03, 2012 2:50 pm

Re: OpenVPN CA

Post by nightcustard »

One of life's many mysteries, I suppose. I should have mentioned I was installing over 2.52.d46
Regards, Mike
SPAU00
Posts: 39
Joined: Mon Oct 28, 2019 8:35 am

Re: OpenVPN CA

Post by SPAU00 »

So I've taken a look at the latest firmware with the implementation of users being able to generate random CA's on OpenVPN server and note the following....

A random generated CA doesn't appear to have extended key usage so cannot be used for TLS Web Server Authentication. The default CA which is the same CA as previous firmware and the same public CA on all Billion VPN routers does have extended key usage and can be used for TLS Web Server Authentication.

I'll go back to my question earlier in the post. Why can't the OpenVPN server use an imported user CA from the trusted certificates page in exactly the same way as the OpenVPN client works??
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan »

SPAU00 wrote: Thu Aug 19, 2021 11:59 am So I've taken a look at the latest firmware with the implementation of users being able to generate random CA's on OpenVPN server and note the following....

A random generated CA doesn't appear to have extended key usage so cannot be used for TLS Web Server Authentication. The default CA which is the same CA as previous firmware and the same public CA on all Billion VPN routers does have extended key usage and can be used for TLS Web Server Authentication.

I'll go back to my question earlier in the post. Why can't the OpenVPN server use an imported user CA from the trusted certificates page in exactly the same way as the OpenVPN client works??
I'll pass over your comments to our engineers,
rirawin
Posts: 1
Joined: Mon Jun 18, 2012 12:48 pm

Re: OpenVPN CA

Post by rirawin »

Can confirm there was no progress bar for me when upgrading. It only popped up when I nervously clicked update again and said it was already in progress.

Have to say wifi performance is poor compared to previous firmware version, often drops outs with my iPhone 11 Pro and iPhone 12 Pro.
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan »

rirawin wrote: Thu Aug 19, 2021 10:51 pm Can confirm there was no progress bar for me when upgrading. It only popped up when I nervously clicked update again and said it was already in progress.

Have to say wifi performance is poor compared to previous firmware version, often drops outs with my iPhone 11 Pro and iPhone 12 Pro.
What wireless bands are your iphones connecting too? Have you tried using d50 fw (found here http://www.forum.billion.uk.com/viewtop ... 7&start=20)
SPAU00
Posts: 39
Joined: Mon Oct 28, 2019 8:35 am

Re: OpenVPN CA

Post by SPAU00 »

Are we able to keep this post on topic?
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan »

SPAU00 wrote: Fri Aug 20, 2021 10:22 am Are we able to keep this post on topic?
Yes lets keep this post on topic, if anyone else has unrelated comments to this topic regarding this firmware release, please submit a new post :)
SPAU00
Posts: 39
Joined: Mon Oct 28, 2019 8:35 am

Re: OpenVPN CA

Post by SPAU00 »

billion_fan wrote: Fri Aug 20, 2021 10:48 am
SPAU00 wrote: Fri Aug 20, 2021 10:22 am Are we able to keep this post on topic?
Yes lets keep this post on topic, if anyone else has unrelated comments to this topic regarding this firmware release, please submit a new post :)
Latest release of OpenVpn now considers billion built in CA's which uses SHA1 algorithm too weak and should be updated to SHA2.

The latest release of OpenVpn will now not connect to Billion routers using the built in CA's which isn't optional.
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan »

SPAU00 wrote: Wed Feb 08, 2023 12:49 am
billion_fan wrote: Fri Aug 20, 2021 10:48 am
SPAU00 wrote: Fri Aug 20, 2021 10:22 am Are we able to keep this post on topic?
Yes lets keep this post on topic, if anyone else has unrelated comments to this topic regarding this firmware release, please submit a new post :)
Latest release of OpenVpn now considers billion built in CA's which uses SHA1 algorithm too weak and should be updated to SHA2.

The latest release of OpenVpn will now not connect to Billion routers using the built in CA's which isn't optional.
Let me check with our engineers
Post Reply