NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
RBRE960 VPN Service appears broken and does not function
Greetings,
I use a mac OSX laptop on the road and was trying to setup the VPN service on my brand new RBRE960 home router, firmware version V6.3.7.10_3.3.3 and it does not work at all. I was am currently using an OpenVPN FreeBSD server with port forwarding behind this router and that is functioning very nicely but, I want to move it to the router.
So, I've followed all the steps in the User Manual to enable the VPN service and install the client configs for either Tunnelblick or the OpenVPN client. There are issues with the client configs for "Mac OSX" that I've downloaded from the router. Both Tunnelblick and the OpenVPN client complain about garbled config files.
1. The line in the .conf file naming the remote host site for the router is missing the "remote" keyword and port number. I manually edited the config file and changed the line:
from "vphost.foobar.com"
to "remote vphonst.foobar.com 12973
This change eliminates the complaint from both clients about a garbled config file
2. Both clients on MacOSX do not support the "TAP Mode Service type" So I also modified the client.conf file generated by Netgear for Mac OSX:
from "dev tap"
to "dev tun"
3. Both clients require that you drag and drop the config, .conf or .ovpn file into their config window. The generated Netgear conf or .ovpn does not include the CA certificate, the client cert, server key, or tls static key. They are in separate files as generated by Netgear and cannot by included in the drag and drop. On my .ovpn file that works perfectly to the FreeBSD openvpn server, this data is included in the .ovpn and is surrounded by XML tags:
<ca> CA certificate data </ca>
<cert> client certificate data </cert>
<key> client private key </key>
<tls-crypt> 2048 bit OpenVPN static key </tls-crypt>
The tls static key is missing from the Netgear generated configs.
So, I updated my Netgear config to include the data surrounded by the XML tags minus the missing tls static key and both clients accept the configs but will still not connect to the NetGear VPN service. I am unable to get it working so, I reverted back to using the FreeBSD OpenVPN server with port forwarding.
I'm pretty sure that NetGears client configs generated for MacOSX need to be fixed. I don't know about the windows or smart phone configs. My question is this, has anyone got the NetGear OpenVPN service working with anything at all?
I worked with Netgear tech support on the case I submitted. They gave me a new firmware version to try, V7.2.6.103_5.0.19. I now do have a working VPN service as this firmware version fixed some of the issues with the configuration files. There is a caveat though. The smart_phone.ovpn file from the router's smart_phone configuration package works for both my iPhone 13 and my Macbook Pro using OpenVPN connect and Tunnelblick. The MacOSX configuration package still does not work with MacOSX using those two VPN clients because both clients expect a combined OVPN configuration file like the one from the smart_phone package. Also the MacOSX package still provides a conf file with a "tap" mode setting which is not supported by OpenVPN connect on MacOSX. You can use the MacOSX package if you rename the client.conf file to client.ovpn, edit the client.ovpn and change "dev tap" to "dev tun", change the port number to the one for "tun" mode, and then include the CA certificate, client certificate, and client private key in the client.ovpn using these tags
<ca>ca certificate</ca>
<cert>client certificate</cert>
<key>client private key</key>
I found that it's much easier though to just use the smart_phone.ovpn as it is in the proper format and is configured for tunnel mode with "dev tun". This OVPN file works fine with both Tunnelblick and OpenVPN connect clients on a MacBook Pro.
5 Replies
I have an update as to why I think it's not connecting. In the Tunnelblick logs there was an error message that stated the Openvpn client and Tunnelblick client now requires this setting to circumvent man in the middle attacks see,
https://openvpn.net/community-resources/how-to/#mitm
I added this missing config line to the Netgear generated MacOSX config:
remote-cert-tls server
I tried again but now the failure with Tunnelblick is "TLS Error: TLS key negotiation failed to occur within 60 seconds"
I suspect that this is due to the missing TLS encryption key from the NetGear generated configs for MacOSX, see my original post.
I hope that NetGear fixes these issues as I paid alot of money for this router and I want to use the VPN service. I've opened a support ticket with them: 47387383
Try some beta FW?
I worked with Netgear tech support on the case I submitted. They gave me a new firmware version to try, V7.2.6.103_5.0.19. I now do have a working VPN service as this firmware version fixed some of the issues with the configuration files. There is a caveat though. The smart_phone.ovpn file from the router's smart_phone configuration package works for both my iPhone 13 and my Macbook Pro using OpenVPN connect and Tunnelblick. The MacOSX configuration package still does not work with MacOSX using those two VPN clients because both clients expect a combined OVPN configuration file like the one from the smart_phone package. Also the MacOSX package still provides a conf file with a "tap" mode setting which is not supported by OpenVPN connect on MacOSX. You can use the MacOSX package if you rename the client.conf file to client.ovpn, edit the client.ovpn and change "dev tap" to "dev tun", change the port number to the one for "tun" mode, and then include the CA certificate, client certificate, and client private key in the client.ovpn using these tags
<ca>ca certificate</ca>
<cert>client certificate</cert>
<key>client private key</key>
I found that it's much easier though to just use the smart_phone.ovpn as it is in the proper format and is configured for tunnel mode with "dev tun". This OVPN file works fine with both Tunnelblick and OpenVPN connect clients on a MacBook Pro.
