NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Shovel-SR's avatar
Shovel-SR
Aspirant
Apr 16, 2023
Solved

Orbi RBK353 (350 with 2 satellites) VPN Error on Android mobile

Hi all, I just switched from a nighthawk R6800 to an Orbi RBK353 mesh (RBK350 router and 2 satellites). I am really pleased with the Orbi generally, except for the VPN service.    The router F/w...
  • Shovel-SR's avatar
    Shovel-SR
    Apr 16, 2023

    Hi CrimpOn,

     

    Thanks for the response. Your config is exactly the same as mine where it matters (obviously different server addresses etc - I use a NoIP DDNS pointing back to my router).

     

    I have found a solution this afternoon though. Where the issue is, I still can't say especially as some users with OpenVPNConnect are fine, and others aren't.

     

    The solution was to install another VPN client software, called "OpenVPN for Android" written by Arne Schwabe, and available on Google Play. While this is not my preferred option, as I would rather use the official app, it has solved the problem. It appears therefore that there is a bug in OpenVPN Connect. Odd, as other users are having no issues, and I didn't on my R6800. It only started once I had switched to the Orbi. I suspect that the "bug" is a mismatch between the Orbi server settings and OpenVPN Connect.

     

    Interestingly, in order to eliminate a very similar issues on Windows, I had to add a line to the end of my config file:

    Remote-cert-tls server

     

    Whatever the issues are, the solution for Android is to install and use OpenVPN for Android, and not the official OpenVPN app.

     

    Cheers

CrimpOn's avatar
CrimpOn
Guru - Experienced User
Apr 16, 2023

Bummer.  This is using a config file produced by the new Orbi RBR350 router?

 

The Android configuration that I am using for an older Orbi RBR50 is this:

client
dev tun
proto udp
remote xxxxxxxx.mynetgear.com  12973
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----

OpenVPN Connect 3.3.1 , updated Feb 22, 2023 on Android 10.

 

The OpenVPN log file:

08:54:56.172 -- ----- OpenVPN Start -----

08:54:56.173 -- EVENT: CORE_THREAD_ACTIVE

08:54:56.175 -- OpenVPN core 3.git::d3f8b18b:Release android arm64 64-bit PT_PROXY

08:54:56.175 -- Frame=512/2048/512 mssfix-ctrl=1250

08:54:56.181 -- UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
13 [verb] [5]

08:54:56.181 -- EVENT: RESOLVE

08:54:56.392 -- Contacting 172.249.112.236:12973 via UDP

08:54:56.392 -- EVENT: WAIT

08:54:56.396 -- Connecting to [xxxxxxxxxx.mynetgear.com]:12973 (xxx.xxx.xxx.xxx) via UDPv4

08:54:56.585 -- EVENT: CONNECTING

08:54:56.588 -- Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client

08:54:56.588 -- Creds: UsernameEmpty/PasswordEmpty

08:54:56.589 -- Peer Info:
IV_VER=3.git::d3f8b18b:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.3.1-9079
IV_SSO=webauth,openurl


08:54:56.685 -- VERIFY OK: depth=1, /C=TW/ST=TW/L=Taipei/O=netgear/OU=netgear/CN=netgear CA/name=EasyRSA/emailAddress=mail@netgear, signature: RSA-SHA256

08:54:56.686 -- VERIFY OK: depth=0, /C=TW/ST=TW/L=Taipei/O=netgear/OU=netgear/CN=server/name=EasyRSA/emailAddress=mail@netgear, signature: RSA-SHA256

08:54:56.840 -- SSL Handshake: peer certificate: CN=server, 1024 bit RSA, cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD


08:54:56.840 -- Session is ACTIVE

08:54:56.841 -- EVENT: GET_CONFIG

08:54:56.843 -- Sending PUSH_REQUEST to server...

08:54:56.997 -- OPTIONS:
0 [dhcp-option] [DNS] [192.168.1.1]
1 [route-gateway] [192.168.2.1]
2 [topology] [subnet]
3 [ping] [10]
4 [ping-restart] [120]
5 [redirect-gateway] [def1]
6 [ifconfig] [192.168.2.2] [255.255.255.0]
7 [peer-id] [0]
8 [cipher] [AES-256-GCM]


08:54:56.998 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  key-derivation: OpenVPN PRF
  compress: LZO_STUB
  peer ID: 0

08:54:56.999 -- EVENT: ASSIGN_IP

08:54:57.021 -- Connected via tun

08:54:57.022 -- LZO-ASYM init swap=0 asym=1

08:54:57.022 -- Comp-stub init swap=0

08:54:57.023 -- EVENT: CONNECTED info='xxxxxxxx.mynetgear.com:12973 (xxx.xxx.xxx.xxx) via /UDPv4 on tun/192.168.2.2/ gw=[192.168.2.1/]'

 

Shovel-SR's avatar
Shovel-SR
Aspirant
Apr 16, 2023

Hi CrimpOn,

 

Thanks for the response. Your config is exactly the same as mine where it matters (obviously different server addresses etc - I use a NoIP DDNS pointing back to my router).

 

I have found a solution this afternoon though. Where the issue is, I still can't say especially as some users with OpenVPNConnect are fine, and others aren't.

 

The solution was to install another VPN client software, called "OpenVPN for Android" written by Arne Schwabe, and available on Google Play. While this is not my preferred option, as I would rather use the official app, it has solved the problem. It appears therefore that there is a bug in OpenVPN Connect. Odd, as other users are having no issues, and I didn't on my R6800. It only started once I had switched to the Orbi. I suspect that the "bug" is a mismatch between the Orbi server settings and OpenVPN Connect.

 

Interestingly, in order to eliminate a very similar issues on Windows, I had to add a line to the end of my config file:

Remote-cert-tls server

 

Whatever the issues are, the solution for Android is to install and use OpenVPN for Android, and not the official OpenVPN app.

 

Cheers

  • CrimpOn's avatar
    CrimpOn
    Guru - Experienced User
    Apr 16, 2023

    My DDNS is also through No-IP.com

     

    Very puzzling. Where did my log file differ from yours?

    • Shovel-SR's avatar
      Shovel-SR
      Aspirant
      Apr 16, 2023

      Hi all,

      I just switched from a nighthawk R6800 to an Orbi RBK353 mesh (router and 2 satellites). I am really pleased with the Orbi generally, except for the VPN service. 

       

      I had a VPN on my R6800 which worked for 5+ years without issues. Setting up the same service on my Orbi with new client configs for my windows and android devices has been less than inspiring, I have managed to get the Windows service working, but only after many hours of trying various web posted solutions. The one that worked for Widows was to add a line at the end of the config "Remote-cert-tls server".

       

      However, adding that to the Android config fail achieves nothing. I get the exact same error and am now going round in circles.  The full error message is:

       

      Transport Error:OpenSSLCOntext::read_cleartext:BIO_read failed,cap=2576 status=-1:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed. 

       

      My config file is standard as produced by the router for Android - a smart_phone.ovpn which is a unified config with the certs and keys included.

       

      I am using a DDNS (which is updated and working).

       

      Anybody got any ideas?

       

      Thanks

    • Shovel-SR's avatar
      Shovel-SR
      Aspirant
      Apr 17, 2023

      I dont know why, but any reply I put up here is disappearing. I have tried 4 times to respond with my log file but as soon as I hit post, the message flies off into the aether.

       

      • Shovel-SR's avatar
        Shovel-SR
        Aspirant
        Apr 17, 2023

        OK so that last one stayed up. It must be I'm doing something wrong with the log file. AS it is so small, I was pasting it inline directly to the post from a plain text file (so no markup). I can only assume the system has an issue with that for some reason. 

         

        I can't see how to upload the file, as the attachment box below won't accept anything other than PDF or images.