VPN TLS Too Weak

safemaster · 2022-04-13 13:49:57 UTC

GWN7000 with firmware 10.0.9.6
Encryption Algorithm AES-256-CBC
Digest Algorithm SHA256

According to newest firmware release it should have support for TLS 1.2. I just setup a VPN with 2 clients as a test 1 laptop and 1 android 11.

On the laptop I’m using the official OVPN app current version 3.3.6 (latest) and on the android its version 3.2.5 (latest).

They both connect and work but it seem like the GWN7000 is using TLS1.0 or below and there is no option to select TLS version. I would like to use at minimum TLS1.2

Maybe I made a misconfiguration on the VPN setup but I did not see any TLS option. any help or advise is much appreciated.
Thanks
Ralph

lpneblett · 2022-04-13 15:16:53 UTC

According to the F/W release notes TLS 1.2 was added in version 10.0.9.5, but I suspect that it is not just a VPN setting so you may have to look around a bit.

I would look for you, but I removed the few I ever installed a while back.

safemaster · 2022-04-13 20:34:07 UTC

When I have time I will go at it again. I used the client directive tls-version-min to tls1.1 and tls1.2 and the client gave me a complaint that the server tls version is too weak, so I change the client to a minimum of tls1.0 and connection successful. For now my android and laptop with use what is tls available now.

Thanks
Ralph

RPMC-Marco · 2023-09-12 19:01:58 UTC

I’m wondering if you ever solved this issue?
A year has gone by and things have only got worse, as of OVPN Connect ver 3.4 it wants a minimum version of TLS 1.2 and preferred 1.3 however I need to disable the security together to connect even though I have the newest firmware on my GWN7000 which tells me that the VPN is not functioning on even TLS 1.2.
my Synology nas as well as other devices won’t even connect to the VPN any longer as it won’t work on the older TLS.
this router firmware has been a nightmare for a long time, this is just one of many things.
in the past, I could control my Grandstream Access Points with it but then the AP firmware got newer than the router and it would not support them any longer.
I haven’t been impressed with Grandstream network equipment and lack of support.