NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
ORBI AX6000 with Satellite VPN susceptible to Man in the Middle Attack
ORBI AX6000
Firmware V3.2.18.1_1.4.14
OpenVPN Server/Client
I turned my logging up to 5 in the config.
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Important Note on possible "Man-in-the-Middle" attack | OpenVPN
I did a google search and found this in this community:
Solved: OpenVPN warning: No server certificate verificati... - NETGEAR Communities
but it's not solved on the AX6000's on this firmware. I added this to the last line: "remote-cert-tls server". I now get the following error in my openvpn, and it continues cycling like this, and failing on validation
2021-05-01 13:51:54 us=563806 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
2021-05-01 13:51:54 us=563806 Certificate does not have key usage extension
2021-05-01 13:51:54 us=563806 VERIFY KU ERROR
2021-05-01 13:51:54 us=563806 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-05-01 13:51:54 us=563806 TLS_ERROR: BIO read tls_read_plaintext error
2021-05-01 13:51:54 us=563806 TLS Error: TLS object -> incoming plaintext read error
2021-05-01 13:51:54 us=563806 TLS Error: TLS handshake failed
2021-05-01 13:51:54 us=563806 TCP/UDP: Closing socket
2021-05-01 13:51:54 us=563806 SIGUSR1[soft,tls-error] received, process restarting
2021-05-01 13:51:54 us=563806 MANAGEMENT: >STATE:1619902314,RECONNECTING,tls-error,,,,,
2021-05-01 13:51:54 us=563806 Restart pause, 5 second(s)
Here is my client1 configuration, without my URL(sorry guys, I'm not open to the world here).
client
dev tap
proto udp
sndbuf 0
rcvbuf 0
auth-nocache
allow-compression no
push "sndbuf 393216"
push "rcvbuf 393216"
dev-node NETGEAR-VPN
remote *.mynetgear.com 12974
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
data-ciphers AES-128-CBC
comp-lzo no
verb 5
This works, but throws the MITM issue up as a possiblity. when I add the fix, it doesn't work at all... I even looked up those errors and it told me to remove "remote-cert-tls server" from the configuration. So it's run less secure, or not at all. Can someone please help?
5 Replies
Best off to report this to NG support. Would be nothing that the forum can help with.
https://www.netgear.com/about/security/
Good Luck
I did that, and thankfully I've got support on this product. I'll try to remember to post the recommendations/update once Netgear responds and/or fixes it.
Thanks.
Any updates on this issue?
I'm dealing with another VPN issue where Open VPN seems poorly configured. Wondering how I can get Netgear to fix it.
Best way would be to contact NG support and let them know what your seeing.
RehanSaeed wrote:
Any updates on this issue?
I'm dealing with another VPN issue where Open VPN seems poorly configured. Wondering how I can get Netgear to fix it.
