Summary
OpenVPN® MD5 signed certificates support will be ending in May of 2018. Currently, the Certificate Authority for the VPN module is still signed using MD5. For further details see: https://docs.openvpn.net/planned-removal-of-md5-support/
Problem
OpenVPN® proposed ending of MD5 signed certificate support may impact some devices. It is likely that, following the end of MD5 signed certificates support for Windows 10, iPads, Android, and Apple Mac devices will have connection issues.
Solution
To resolve potential Windows 10, iPads, Android, and Apple Mac connection issues, following the end of MD5 signed certificates support, you will need to create and export a compatible Certificate Authority certificate. Once exported, the Certificate Authority file can be imported and assigned as the global VPN certificate. The Certificate Authority file can then be pushed to the impacted devices.
The following steps guide through this process:
Step 1. Create Compatible Certificate
- Go to System > Certificates > Certificates for services.
- Click New root CA, the Add new root Certificate Authority dialog box is displayed.
- In the Common Name field, enter the name to be used for the new root Certificate Authority, in this example we will use the name '
VPN CA
'.
Note: The Name field enables the entry of meaningful name for the root Certificate Authority. If no name is entered the entry for Common name is used by default.
- Click Save changes.
- On the Certificates screen, hover over the newly created certificate authority and click the Export button.
- In the Export dialog box, select the Certificate option and click Export. The new '
.crt
' certificate file will be saved to your default downloads folder. - On the Certificates screen, hover over the newly created certificate authority and click the New certificate button.
- On the Add New certificate dialog box, clear the Authority 'Allow this certificate to sign others' check box.
- In the Common Name field, leave as the FQDN/Host name of the Smoothwall, OpenVPN may check this when connecting. The certificate is signed with Attribute ID as DNS, so the Smoothwall will need to be able to resolve what ever is in this field when the VPN connects. for example,
smoothwall.znet.local
- Click Save changes.
- On the Certificates screen, hover over the newly created certificate and click the Export button.
- In the Export dialog box, select the Certificate and keys option.
- Enter a Password for the certificate and click Export. The certificate will be saved to your default downloads folder.
Step 2. Import certificates
- Go to Network > VPN > Certificate authorities.
- In the Import Certificate Authority certificate panel, click the Choose File button and select the '.crt' certificate authority file, in this example
VPN CA.crt
, exported in Step 1. Create Compatible Certificates. - Click the Import CA certificate from PEM button to import the exported certificate authority file.
- Go to Network > VPN > Certificates.
- In the Import certificates panel, in the Password field, enter the certificate and key password assigned when exporting the certificate and key in step 1.
- In the Import PKCS#12 filename field, click the Choose File button select the certificate and key file exported in step 1.
- Click the Import certificate and key from PKCS#12 button.
Step 3. Set the global VPN certificate
- Go to Network > VPN > Global.
- From the Certificate drop-down select the imported certificate and click Save.
Step 4. Device configuration
The follow environment based steps guide you through the certificate application process:
Windows 10
- Download the previously exported
SSL VPN certificate
file. - Download the '.crt' certificate authority file, in this example
VPN CA.crt
, exported in Step 1. Create Compatible Certificates. - Rename the
VPN CA.crt
file tocacert.pem
, replace thecacert.pem
in the archive. - Copy to the Windows 10 computer.
- Install the SSL VPN software.
- Download and install the latest tap adaptor from https://download.smoothwall.net/support/
Note: As of 1st March 2018, https://download.smoothwall.net/support/tap-windows-9.21.2.exe
- Run the software and import the openvpn config.
ipad
- Download the previously exported
SSL VPN certificate
file. - Download the '.crt' certificate authority file, in this example
VPN CA.crt
, exported in Step 1. Create Compatible Certificates. VPN CA.crt
in this example, created in step 1.- Rename the
VPN CA.crt
file tocacert.pem
, replace thecacert.pem
in the archive. - Edit the open.ovpn file.
-
If using Transport Layer Security (TLS)
The archive will look something like:
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
ca cacert.pem
auth-user-pass
cipher AES-256-CBC
auth SHA1
comp-lzo
verb 3
nobind
remote 1.1.1.1 443
proto tcp-client
tls-remote "/CN=smoothwall.znet.local/O=smoothwall__ltd/C=GB"
tls-auth ta.key 1
- Remove the line '
ca cacert.pem
' and paste the cacert.pem certificate between<ca></ca>
tags. - Remove the line '
tls-auth ta.key 1
' and paste the cacert.pem certificate between<tls-auth></tls-auth>
tags. - Add the line '
key-direction 1
'.
For example:
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-256-CBC
auth SHA1
comp-lzo
verb 3
nobind
remote 10.50.8.111 443
proto tcp-client
tls-remote "/CN=smoothwall.znet.local/O=smoothwall__ltd/C=GB"
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
MIIFdjCCA16gAwIBAgIHBWWOI5X5JzANBgkqhkiG9w0BAQsFADA4MTYwNAYDVQQD
Ey1TbW9vdGh3YWxsLWRlZmF1bHQtcm9vdC1jZXJ0aWZpY2F0ZS1hdXRob3JpdHkw
IhgPMjAxODAyMTkxMDI3MjBaGA8yMDIxMDIxODEwMjcyMFowODE2MDQGA1UEAxMt
U21vb3Rod2FsbC1kZWZhdWx0LXJvb3QtY2VydGlmaWNhdGUtYXV0aG9yaXR5MIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA8Hot2n1cpGjqaBhDrJVGrU6o
...
...
...
2nAT87Ed9TlvHH962O4fiYgP9QnyzdSTIa+j/ks+Vr3z7COG1rBEPc7pWXUW6MBy
EGsXfZXtKJ7Q5iw8jERb+SE5D9guX/wiJ7zpjYS9TImSG0y2ELbuilukNFcs7A5O
aEChQ4FvnAJ71O4wTKoMbRzZSJ2oQfSo5TYlCWxM1fIeYkpuVDeu1h/lRS+JJA8X
pj8Pual0AfSiIg==
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
b50b9d79d96c5e243a2c3e3e77b2704f
a9420ad62cdd95334594ad605b1f3d6e
0289a60e766e6ea1546ba7606694932f
fc95e83eb4f4a11415a177f345a1438f
...
...
...
543d7dcc6b5b46f186b104a86a72c8f7
5c278b72c06c24e66ffbe140482c758d
f1f09abc89b4b1a134f791b15383f2da
-----END OpenVPN Static key V1-----
</tls-auth>
- Remove the line '
-
If not using Transport Layer Security (TLS)
The archive will look something like:
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
ca cacert.pem
auth-user-pass
cipher AES-256-CBC
auth SHA1
comp-lzo
verb 3
nobind
remote 1.1.1.1 443
proto tcp-client
tls-remote "/CN=smoothwall.znet.local/O=smoothwall__ltd/C=GB"
tls-auth ta.key 1
- Remove the line '
ca cacert.pem
' and paste the cacert.pem certificate between<ca></ca>
tags. - Remove the line '
tls-auth ta.key 1
' and paste the cacert.pem certificate between<tls-auth></tls-auth>
tags. - Add the line '
key-direction 1
'.
For example:
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-256-CBC
auth SHA1
comp-lzo
verb 3
nobind
remote 10.50.8.111 443
proto tcp-client
tls-remote "/CN=smoothwall.znet.local/O=smoothwall__ltd/C=GB"
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
MIIFdjCCA16gAwIBAgIHBWWOI5X5JzANBgkqhkiG9w0BAQsFADA4MTYwNAYDVQQD
Ey1TbW9vdGh3YWxsLWRlZmF1bHQtcm9vdC1jZXJ0aWZpY2F0ZS1hdXRob3JpdHkw
IhgPMjAxODAyMTkxMDI3MjBaGA8yMDIxMDIxODEwMjcyMFowODE2MDQGA1UEAxMt
U21vb3Rod2FsbC1kZWZhdWx0LXJvb3QtY2VydGlmaWNhdGUtYXV0aG9yaXR5MIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA8Hot2n1cpGjqaBhDrJVGrU6o
...
...
...
2nAT87Ed9TlvHH962O4fiYgP9QnyzdSTIa+j/ks+Vr3z7COG1rBEPc7pWXUW6MBy
EGsXfZXtKJ7Q5iw8jERb+SE5D9guX/wiJ7zpjYS9TImSG0y2ELbuilukNFcs7A5O
aEChQ4FvnAJ71O4wTKoMbRzZSJ2oQfSo5TYlCWxM1fIeYkpuVDeu1h/lRS+JJA8X
pj8Pual0AfSiIg==
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
b50b9d79d96c5e243a2c3e3e77b2704f
a9420ad62cdd95334594ad605b1f3d6e
0289a60e766e6ea1546ba7606694932f
fc95e83eb4f4a11415a177f345a1438f
...
...
...
543d7dcc6b5b46f186b104a86a72c8f7
5c278b72c06c24e66ffbe140482c758d
f1f09abc89b4b1a134f791b15383f2da
-----END OpenVPN Static key V1-----
</tls-auth>
- Remove the line '
- Email the connection.ovpn file to the iPad.
- Install OpenVPN, and run the connection.ovpn file from the iPad.
Apple Mac
- Make the same modifications to the open.ovpn as for the iPad.
- Install Tunnelblick https://tunnelblick.net/downloads.html
- Extract the SSL VPN archive to a permanent location on your hard disk.
- Double click the open.ovpn file.
Android
- Make the same modifications to the open.ovpn as for the iPad.
- Install OpenVPN® from the Google Play Store
- Emal/send the '.ovpn' file to your Android device
- Open OpenVPN®. Tap the OVPN Profile button to select the .ovpn file.
- Type in your username (password entry is optional).
Note: If a certificate warning message is displayed, click Continue.