Insecure OpenVPN Implementation in WRT3200ACM

Hey,

Before you read the rest of this post, this particular router is awesome. Like solid. I love it. I really do. This is the first time its let me down and it let me down hard, so I felt compelled to write this.

I was messing around with my settings because I needed a VPN setup for some work related stuff. And imagine my delight when I found an option in my router to use OpenVPN.

Turns out that the official latest firmware version 1.0.8.199531 has an expired cert for OpenVPN, causing it to generate blank client configurations. The support page helpfully offers an update to version 1.0.9.211585.

WRT3200 ACM Downloads Page with the new firmware

I took the bait, and did not read the fine print.

The catch. I had to factory reset my router

Ok, so I have to reset the router and redo my whole network configuration. Maybe I should just create a virtual network with a VPN gateway with one of the cloud providers, but then again, this could be free. And I have a backup for the configuration. Should not be bad right? Wrong! After restoring from backup, the router is still generating blank client configurations. Turns out you have to reset and manually configure the router again, as another user discovered. Restoring from backup, does not fix the expired cert issue.

Now this is not your average home network. There are NAS devices, pi holes, vlans, specific wifi channels. This is not going to be trivial. But anyway, I am along for the ride at this point. So I proceed to screenshot each screen so I can recreate the configuration manually. My wife decides she has had enough. The wifi keeps going out and I keep cussing. She assumes a correlation, gives up and goes to bed. So I reset it again and manually configure.

Everything is working again. Non empty client configurations are being generated. Things are looking up. I open the OpenVPN client V3 and …

​

Insecure hash error

Turns out this thing is using SHA1 which has been considered broken for at least 5 years. The whole thing works with OpenVPN client v2.7. So after all this work, the OpenVPN implementation uses an older insecure version.

Has anyone tried dd-wrt for the wrt3200acm? I considered it, but it seems that you can only install an OpenVPN Client, not a server/client.

Late to the party, but just encountered this today
Can get it to work on iOS with allowing insecure connections, but on Linux (Ubunutu variant) I just cant get it to work.
Downgrading from OpenVpn 3 to 2.7 doesn’t seem like a good idea all considered: aka security.

Wondering if there is a way around this, or an update in the last months? I’m on the latest firmware.

I really wish that Linksys would continue to offer new firmware updates for this legendary router. I am considering buying an E8450 and using my WRT3200ACM as an access point, but I’m wary of support being dumped a couple years down the line. Probably going to flash DD-WRT so that my hardware still has a future, but this doesn’t inspire faith in Linksys.

Good luck with your struggles.

Hi!

I have same device, and same problem. But in my use case (I use openvpn connect to my router rare and short time) I selected insecure option in OpenVpn Client on iOS.

In OpenVpn app: menu - settings - advanced settings - Insecure

Before activating this option you need understood cons and pros.

PS: Linksys please, rebirth your one of the best router

I have exactly the same problem. A huge time waste trying to find a solution (if indeed there is one). I cannot understand why LinkSys would just abandon users of these routers which provide built-in support for OpenVpn. Fixing the certificate hash function and uploading the update would only take a few minutes for a LinkSys support engineer.

E8450

Dont do it. I have tried these newer wifi 6 routers and they are all crap. I have not found a device that can beat the WRT3200ACM for signal strength and performance.

hi, same for me, i’ve spent hours, finally , it works again with option ‘Insecure’.

i would prefer to regenerate the certificate Linksys properly , help ! Support Linksys, where are you ?

You must be high. This router is a piece of shit with regards to wireless radios. They tried to band aid the problem by scheduling a reboot every day. However, if you disable the wireless radio, it’s pretty reliable.