× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Start a New Discussion

Announcements

Polls
What is your Experience with NETGEAR Insight cloud management?
Vote
Hide Results
Top Contributors
See All
0 Kudos

Orbi Firmware Upgrades Not Keeping Up With OpenVPN Security Standards

Submitted by Guide on ‎2024-02-13 02:30 PM
3 Comments (3 New)

Greetings!

I am leveraging the VPN function on the Orbi which is using the OpenVPN. I have not been having a problem until around early last year when our connections using OpenVPN are now showing this error:

 

WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.

DEPRECIATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM: AES-128-GCM). Open VPN ignores --cipher for cipher negotiations

 

OpenVPN has made this change to remove compression way back in 2023-01. So this compression issue is preventing connection with VPN. Why hasn't NETGEAR been keeping up with this and making changes to VPN with Firmware upgrades. How can I fix this issue and get my VPN back up and running?

3 Comments
CrimpOn
Guru Guru
Guru
‎2024-02-13 04:27 PM
‎2024-02-13 04:27 PM

Why Netgear does (or does not do) anything is not something any member of the Community forum has insight into. 

 

What we can do is offer suggestions for how to make use of the product.  For example, I connected a Windows 10 laptop to the internet (using a cell phone Hot Spot via LTE data) and used OpenVPN Connect 3.3.7 (2939) to connect with an RBR50.  As the attached log file shows, it worked correctly.  OpenVPN Connect prompted that an update was available, so I updated the Windows app to 3.4.3 (3337).  The next attempt to connect failed. (see log file). OpenVPN connect claimed there were "problems" and did not specify what they were:

OpenVPN Connect 3.4.3 (3337) on Windows 10, Feb 13

[Feb 13, 2024, 15:43:22] OpenVPN core 3.8.2connect3 win x86_64 64-bit OVPN-DCO built on Dec  1 2023 16:39:43

⏎[Feb 13, 2024, 15:43:22] Frame=512/2112/512 mssfix-ctrl=1250

⏎[Feb 13, 2024, 15:43:22] NOTE: This configuration contains options that were not used:

⏎[Feb 13, 2024, 15:43:22] Unsupported option (ignored)

⏎[Feb 13, 2024, 15:43:22] 5 [resolv-retry] [infinite]

⏎[Feb 13, 2024, 15:43:22] 7 [persist-key]

⏎[Feb 13, 2024, 15:43:22] 8 [persist-tun]

⏎[Feb 13, 2024, 15:43:22] 17 [route-method] [exe]

⏎[Feb 13, 2024, 15:43:22] UNKNOWN/UNSUPPORTED OPTIONS

⏎[Feb 13, 2024, 15:43:22] 3 [dev-node] [NETGEAR-VPN]

Thus it would appear that if OpenVPN Connect is the tool being used, one way to address this issue is to reinstall the previous version 3.3.7 (2939).

 

This Windows 10 laptop has OpenVPN GUI installed as well, v2.6.2, Mar 24, 2023.  The tap connection worked, but the tun connection failed.  Version 3 of OpenVPN dropped support for tap connections, so I kept 2.6.2 installed specifically to look at how tap behaves differently than tun.  I have not spent any time diagnosing "what's wrong" since the Open VPN Connect app was working - until I went and upgrade it - damn.

 

The tap connection that worked spit out the same error messages you noticed, but it still connected:

2024-02-13 16:03:59 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2024-02-13 16:03:59 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations.
2024-02-13 16:03:59 Note: '--allow-compression' is not set to 'no', disabling data channel offload.
2024-02-13 16:03:59 OpenVPN 2.6.2 [git:v2.6.2/3577442530eb7830] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar 24 2023

 

I agree totally that it is annoying when vendors do not keep products up-to-date.  Heck, Netgear has only 19 Orbi router models (and ?? Nighthawk models).  How long could it take for some intern to update the OpenVPN software on all of them? (and test it, maybe)

 

My advice: find a version of OpenVPN that "works".

 

JBX_Industries
Guide
Guide
‎2024-02-13 07:00 PM
‎2024-02-13 07:00 PM

While I agree with your "find a version that works" and stick with it mentality, that is not a very security centric approach. That has gotten so many companies into trouble and since this is being used by a business this is not acceptable.  Changes to the software especially for security reasons cannot be overlooked and will be not be accepted by security oversite. With the non-compliance version of the server on the router this will make us have to move away from the device built in VPN and go to another solution. We are using the most recent version of the client as called out on the Open VPN Community download site of 2.6.9. I have no way of knowing which version is installed on the router as it doesn't show that information. 

 

So from what I can tell the server on the router hasn't been updated since the change in server software and there is not way to change the software. We will have to start looking into different options.

ReneD
NETGEAR Moderator
NETGEAR Moderator
‎2024-03-06 09:42 PM
‎2024-03-06 09:42 PM

Hello @JBX_Industries,

 

And welcome to the NETGEAR Community! 🙂

 

I understand that this issue has not been addressed by Netgear Engineering for Orbi routers yet. However since the Orbi devices are already EOL (end of life), it will be best to open this issue under ideas exchange for Business product so they can modify or build a firmware that adds these feature. Or you can open a support ticket from Netgear support so Netgear Engineers can investigate and come up with a patch firmware that addresses this as long as your device is still under the 5 year hardware warranty.


Have a lovely day,

 

Rene D 
Netgear Team