NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Netgear R7000 and OpenVPN for Android App
Hi, since last OpenVPN for Android App update (v.0.6.73) downloadable at the following link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn OpenSSL version was upgraded to 1.1 and...
Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.
Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:
If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.
ClarDold wrote:
I won't enjoy some pointers.
I _would_ enjoy just some pointers.
(I shouldn't post from my phone. I miss some of the helpful auto-corrects.)
So, decided to use ASUS-Merlin by Vortex for my R7000. It has VPN, and guess what, when it genrates certificates and keys it uses 1024bit, SHA256 signed certificate, and negotiates with AES-128-GCM/AES-256-GCM/AES-128-CBC/AES-256-CBC keys by default, but I can generate my own and paste them in if I want as well.
Seems ASUS has it all together.
juched wrote:So, decided to use ASUS-Merlin by Vortex for my R7000. [...]
Seems ASUS has it all together.
Well, that's disappointing, because I just retired my Asus because of WiFi instability and lockups.
How did you decide that firmware would run on the R7000?And would it also run on the R7000P?
Nice, thanks for the info, downloaded the package, will see if I feel like reconfiguring my router just now or would rather wait a bit for a hypothetical update from NG...
- FYI NG is so far ignoring any attempt I make to get them to thumbs up me posting a guide for their own firmware, so if you guys still want that feel free to hit up your favorite moderators and see if you have any better luck...
I don't see why you'd need to ask permission for that.
- I don't know what the forum rules are, didn't find any link to them.
Even if you install the improvised user suggested fix, which is great, for sure you should still file a complaint against NG:
It only takes a few mins to fix. NG has not fixed the problem voluntarily and the MD5 issue has benn known for a long time. Yet NG continues to market its routers OpenVPN feature. That is direlection of duty. In fact, NG should be sued. Filing a complaint with the BBB is a preliminary step to prove on paper NG is ignoring the problem even after inquiry using a third party. This is a first step leading up to dropping the atom bomb (class action lawsuit seeking remedies) on them.
i got a response from NG via the BBB complaint. they opened a case for me and now i just need to get them info about my router. will see if anything happens from there.
wrote:
I don't know what the forum rules are, didn't find any link to them.I don't think you will get a reply from NETGEAR staff!
Every time this forum have discussion on the firmware of NG about the OpenVPN security issue, they won't have positive reply.
You can find a similar case to the discussion of OpenVPN certificate which can never be changed with NETGEAR firmware.
Now everyone know that OpenVPN have changed the policy that it will no longer support MD5 certificate / encryption after April 30. This warning message display clearly in the updated edition of OpenVPN connect for Android phone! How come NETGEAR have no plan to change its firmware?
I don't see this warning with OpenVPN connect in iPad. Anyone know the case of iPhone?
My router is R6220. I think all NETGEAR router have the same issue.
Please publish your instructions to update the certificates using a proper Hashfunction, I don't want to wait any longer for NG.
Which doesn't mean we cannot keep the pressure up!
Maybe we should launch a facebook campagin or so, blaimng NG for not reacting!
I opened a case with support a long time ago. In an awkward realization, I see that I can't read any of the old history of the case, nor see when it was opened.
This is their latest response:
Please downgrade the firmware by following the below link and check whether the issue persists.
https://kb.netgear.com/000049362/R6900P-R7000P-Firmware-Version-1-2-0-22
They don't know if it will fix the problem?
My update back to the case was that I don't want to downgrade to test for them, and asked when they were going to fix this problem.has anyone tried the most recent hot fix. it lists Security
R7000 Firmware Version 1.0.9.26 - Hot Fix
Bug Fixes:
- Fixes the Wi-Fi disconnect issue caused by a flood of broadcast traffic.
- Fixes security issues.
https://kb.netgear.com/000053870/R7000-Firmware-Version-1-0-9-26-Hot-Fix
- It always lists security. It's completely f***ing meaningless since NG won't say what security issues they addressed and thus you also can't know which they did not address.
Worst. Release notes. Ever.
They should be ashamed. No company serious about security would do this. Firmware Version V1.3.0.20_10.1.1
I've seen no changes to the VPN config page, and the old certs still work.
- I'll try to get my instructions up this weekend. Sorry, I've been busy with work and I just gave up dealing with the router the past few weeks since NG took so long to address the firmware stability, I lost interest.
Hi !
As this seems like a big issue for everyone, it would be great if you could post the steps, even in a basic form and not detailed as much.
I'm a networking guy myself and I will find the time to take this and turn it into a guide. just give me the bare minimum.
thanks!
R7000P Firmware Version V1.3.0.20_10.1.1
I received a phone call from Netgear L2 Expert support.
The change in OpenVPN certs has been accomplished for some Netgear routers, and will be finished for the R7900P before the drop dead date for Android OpenVPN.
I asked which routers had already been updated, and she couldn't tell me.
My R7000P Firmware Version V1.3.0.20_10.1.1 has a 2018-01-23 15:12 R7000P-V1.3.0.20_10.1.1.chk
I looked at the opensource download, and it has a 2018-02-15 10:16:03 V1.3.0.10_1.2.2_gpl, so there is something newer underway.It still has an MD5 ca.crt, though.
- That's interesting. As a status update, I have spent many hours this week already writing a guide, I have to fit it in around work/life. I hope to have something up here in the next few days.
I submitted an email support request to Netgear yesterday asking when they plan to release a new firmware with an updated OpenVPN server build that uses SHA256 instead of MD5 signing algorithm, but I've yet to receive any useful info.
It is hard for me to understand why it is so difficult to change the encryption method?
It seems all VPN servers except NG OpenVPN have different options for encryption.
I'm looking forward to see if I can update my R8500 with your method. I have telnet enabled.
Are you by chance loading your certificates via the hidden page? http://192.168.1.1/OPENVPN_hidden.htm
looks like the certificates are stored in /usr/temp/openvpn
files are: ca.crt client.crt client.key dh1024.pem server.crt server.key
There may also be an easier way to enable telnet from the chek box at http://192.168.1.1/debug.htm
This looks very promising, why is this page hidden?
- Hi,
Please see attached. I hope it works for you, but it is 100% at your own risk.
It has honestly been exhausting putting this together so I hope NG will automate replacing keys through the UI in future. - Thank you for posting the fix! Hopefully I can try it out next weekend
I can confirm that step 1 can be avoided (R8500) by going to http://192.168.1.1/debug.htm and select "Enable Telnet "
Can anyone else confirm that telnet can be enabled this way ?
