Netgear R7000 and OpenVPN for Android App

---

Diggie3wrote:
Please be careful which files you post, you should not post your dh params. Fortunately we are working on replacing those ;)

Okay so the files you posted (openssl.cnf and vars) are part of the easy rsa scripts to generate the original keys. I would continue to guess that unless the router itself was generating keys, which I doubt, they don't really need to be there, and we should just ignore them.

Try these commands:

cat /tmp/server_tap.conf
cat /tmp/server_tun.conf

On my R7000 the first few lines of each output will show the dh file that OpenVPN server is using.

You can probably also type this to verify which conf files are in use:

ps | grep openvpn

Unfortunately, at least on my R7000, /tmp itself stored on part of a file system that is not updatable (you can write to it but when you reboot your changes will most likely be gone). This leaves us only able to update the keys and not the OpenVPN configs themselves. If NG engineers wanted to be friendly and helpful us fix more problems ourselves in future they could think about making more writable overlays :)

---

Many thanks for your quick reply!

The 2 files cannot be found in the specified directory.

/tmp/server_tap.conf
/tmp/server_tun.conf

After executing the command "ps | grep openvpn", the follow result found in the screen:

4685 root 1520 S grep openvpn
7189 root 3904 S /usr/sbin/openvpn --config /etc/server.conf
7191 root 4196 S /usr/sbin/openvpn --config /etc/server_phone.conf

---

Diggie3wrote:
Okay, your router seems to be significantly different.

Type:
cat /etc/server.conf
cat /etc/server_phone.conf

That'll let you see your OpenVPN configs.

---

Pls find the outcome below by cut & paste of the text output.  It seems the file “/etc/server_phone.conf” will be the true config of my OpenVPN server because I am currently using port 8443 (UDP). 

# cat /etc/server.conf
dh /tmp/openvpn/dh1024.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/server.crt
key /tmp/openvpn/server.key
dev tap0
server-bridge
proto udp
port 12974
keepalive 10 120
verb 5
mute 5
log-append /tmp/openvpn_log
writepid /tmp/openvpnd.pid
mtu-disc yes
topology subnet
cipher AES-128-CBC
auth sha1
tls-server
push "redirect-gateway def1 bypass-dhcp"
client-to-client
duplicate-cn
comp-lzo
fast-io
push "route 192.168.11.0 255.255.255.0"
push "route-delay 5"

# cat /etc/server_phone.conf
dh /tmp/openvpn/dh1024.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/server.crt
key /tmp/openvpn/server.key
dev tun
server 192.168.2.0 255.255.255.0
proto udp
port 8443
keepalive 10 120
verb 5
mute 5
log-append /tmp/openvpn_log
writepid /tmp/openvpnd.pid
mtu-disc yes
topology subnet
cipher AES-128-CBC
auth sha1
tls-server
push "redirect-gateway def1 bypass-dhcp"
client-to-client
duplicate-cn
comp-lzo
fast-io
push "route 192.168.11.0 255.255.255.0"

#

The forum seems to have lost my last post so hopefully this doesn't post twice.

Things we can see:

1. Based on your file list from /tmp/openvpn, we can see that your router uses "client" as the base name for client keys/certificates, and "server" for the base name for server keys/certificates. That's compatible with the PDF.

2. Based on the OpenVPN config files you dumped, we can see the OpenVPN server is loading dh1024.pem. That's compatible with the PDF.

As I wrote earlier, I think some of the extra files are:

- Copies of the easy rsa scripts used to create your keys originally, but I suspect unused by the router

- Certificate signing requests, which are usually part of the easy rsa key generation process, and I suspect also unused by the router

- dh2048.pem I don't know why this is here. It might be unused, but I can't say for sure. I don't know if your model has some other service that my R7000 doesn't have.

So in summary, my best guess would be that the steps in the guide should work for you. The choice to proceed and the risk involved in that is yours. There is always some risk that our models are different enough that you have a different version of OpenVPN that is incompatible with the new keys for some reason, though I wouldn't expect this. Please realize I can only provide my best guess since I don't have access to your model.

If you do decide to go ahead:

- Absolutely follow Step 5 to backup the files that will be replaced, and to know how to restore them if you need to.

- You could also do this:

zip -9 fullbackup.zip *

... to try to fully backup all the original files. Check that the zip utility lists all of the files you found in your /tmp/openvpn folder as it works.

---

Diggie3wrote:

The forum seems to have lost my last post so hopefully this doesn't post twice.

 

Things we can see:

1. Based on your file list from /tmp/openvpn, we can see that your router uses "client" as the base name for client keys/certificates, and "server" for the base name for server keys/certificates. That's compatible with the PDF.

 

2. Based on the OpenVPN config files you dumped, we can see the OpenVPN server is loading dh1024.pem. That's compatible with the PDF.

 

As I wrote earlier, I think some of the extra files are:

- Copies of the easy rsa scripts used to create your keys originally, but I suspect unused by the router

- Certificate signing requests, which are usually part of the easy rsa key generation process, and I suspect also unused by the router

- dh2048.pem I don't know why this is here. It might be unused, but I can't say for sure. I don't know if your model has some other service that my R7000 doesn't have.

 

So in summary, my best guess would be that the steps in the guide should work for you. The choice to proceed and the risk involved in that is yours. There is always some risk that our models are different enough that you have a different version of OpenVPN that is incompatible with the new keys for some reason, though I wouldn't expect this. Please realize I can only provide my best guess since I don't have access to your model.

 

If you do decide to go ahead:

- Absolutely follow Step 5 to backup the files that will be replaced, and to know how to restore them if you need to.

- You could also do this:

 

zip -9 fullbackup.zip *

 

... to try to fully backup all the original files. Check that the zip utility lists all of the files you found in your /tmp/openvpn folder as it works.

 

 

 

---

Thank you so much for your professional advice!

I understand every step we make will have certain level of risk.  However, you have tried your best to help me analyse the situation.  Total loss of the router will always be the worst case scenario and I am always prepared for that.

I will backup all files in the said directory to to reduce the risk.  

Now, I must first learn how to generate the new certificate/key in your instructions 3b to 3e.

Is it required to change the “/tmp/server_phone.conf” file when changing a stronger encryption method?

It is because OpenVPN connect for both Android & iOS no longer support MD5 after April 30.

It should not be required to change “/tmp/server_phone.conf”, and in fact it is probably not possible to do that either.

The MD5 algorithm is used by the original certificates. Following the PDF should cause these to be replaced. The PDF has steps to produce certificates using SHA256, which is much stronger.

NG_Guru I went to investigate http://192.168.1.1/debug.htm . I found that:

* It did not exist on R7000 FW versions 1.7.x.

* It does exist on the latest FW version, 1.9.26, but the code to display and send the telnet option to the router have been commented out in debug.htm, so it's not user accessible. This FW is less than a month old.

Therefore I think this option is very likely to be dependent on which model you have and which firmware version you are using. Clearly the page doesn't always exist, and if it does exist NG may be disabling that option.

---

Diggie3wrote:

Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.

 

Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:

 

http://192.168.1.1/debug.htm

 

If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.

---

Thanks for the new update of your instruction guide.

I am so luck that my R6220 router still have the "debug.htm" hidden page and with the "enable telnet" option.

Thanks for answering all my questions in these days.

No matter I can successfully change the VPN key / certificate with your method or not, I will get back to this post to confirm.

Diggie3 - I just followed your 1.0.1 instructions and successfully replaced my keys onto my R7000.  Those instructions were excellent.  Thank you so much for taking the time to do this!

Diggie3wrote:

Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.

 

Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:

 

http://192.168.1.1/debug.htm

 

If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.

---

Hi Diggie3,

Unfortunately the result for my R6220 is negative.  I completed all the procedures described in your instructions and reboot the router.  After robooting, OpenVPN cannot be connected by using the new certificate but the old certificate still function properly instead.

By enabling telnet thru’ “192.168.xx.1/debug.htm” again, I found that all the files under the directory “/tmp/openvpn” have been restored to the originals.  The newly added files “originalkeys.zip” & “newkeys.zip” during the procedures have been removed.

It seems R6220 router only stored the files to /tmp/openvpn temporary but have other true location to store the actual certificates.

Also, every reboot will clear the setting of “enable telnet”.

During the discussion to this post in this week, the router have not been rebooted.  Therefore I have just discovered this fact yesterday.

Remark: I have checked the updated files in “/tmp/openvpn” by “cat” command before rebooting”, all the 6 mentioned files should have been updated.

katsaw You could try this:

cat /proc/mounts

Here's some output from the R7000:

/dev/mtdblock18 /tmp/openvpn jffs2 rw,relatime 0 0

The reason we can update the keys is that /tmp/openvpn is a read-write jffs2 filesystem, which is a compressed, non-volatile file system. That was a smart move on Netgear's part. See if you have something similar. The R7000 also has /tmp/media/nand of this type, but there's no OpenVPN content there on the R7000, and I don't know how safe it would be to modify that one (I haven't tried).

---

Diggie3wrote:

katsaw You could try this:

 

cat /proc/mounts

 

Here's some output from the R7000:

 

/dev/mtdblock18 /tmp/openvpn jffs2 rw,relatime 0 0

 

The reason we can update the keys is that /tmp/openvpn is a read-write jffs2 filesystem, which is a compressed, non-volatile file system. That was a smart move on Netgear's part. See if you have something similar. The R7000 also has /tmp/media/nand of this type, but there's no OpenVPN content there on the R7000, and I don't know how safe it would be to modify that one (I haven't tried).

---

Thanks for your prompt reply!

Here it is:

# # cat /proc/mounts

rootfs / rootfs rw 0 0

/dev/root / squashfs ro,relatime 0 0

ramfs /dev ramfs rw,relatime 0 0

proc /proc proc rw,relatime 0 0

none /tmp ramfs rw,relatime 0 0

none /media ramfs rw,relatime 0 0

none /sys sysfs rw,relatime 0 0

none /proc/bus/usb usbfs rw,relatime 0 0

devpts /dev/pts devpts rw,relatime,mode=600 0 0

/dev/sda1 /tmp/mnt/shares/U vfat rw,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp950,iochars
et=utf8,shortname=mixed,errors=remount-ro 0 0

#

Awesome post!  Thanks!  Worked flawlessly.  Appreciate you!

THANK YOU!!!
   I just went through the instructions and it worked great.    You clearly spent some time on this and I appritiate it.

For others out there:  Here are a few notes on my experiene:

1. Hidden Page for Telnet.I got to the hidden page, but my router (R7000 Nighthawk AC1900)  did not have a button to enable telnet.
     
2. The process requires Python 2.7.    
   I initially tried using Python 3.x because it was already on my system..... but installing pycrypto did not work till I installed Python 2.7.   (I should have followed the instructions :-\)
   
   
3. IP Address of the router
   The instructions kinda assume the default IP address of the router of 192.168.1.1.   My address range is different but the instructions were clear enough that it was easy to deal with.
     
4. OpenVPN tools version
   The instructions stress that they are for OpenVPN tools version 2.4.4 and if you used a different version things might look different.    I used version 2.4.5 and saw absolutely no differences.
   
   
5. Step 3.c is optional.   
   I skipped it.
   
   
6. In Step 3.e, tells you to copy 'keys\dh4096.pem'.  
   On my system the file was named keys\dh2048.pem.   This is probably because I skipped step 3.c

Hi pthorvald,

Indeed an update to OpenVPN has been released. I'll probably end up updating the doc to match it but haven't had time yet -- busy work schedule. I noticed that they say they patched the easy-rsa scripts, which is probably what led to you getting "dh2048.pem".

If anyone else is looking for the 2.4.4 installer to match the doc exactly in the meantime, the download is here:

http://build.openvpn.net/downloads/releases/openvpn-install-2.4.4-I601.exe

Glad you got your router patched up! :)

Hi Diggie3,

     Thanks for the quick response!!

> If anyone else is looking for the 2.4.4 installer....... 

I guess I did not scroll down the page far enough to find version 2.4.4 of the OpenVPN stuff....  thanks for publishing the link.    It is bound to help others find the right version.

> I noticed that they say they patched the easy-rsa scripts, which is probably what led to you getting "dh2048.pem

Interesting..... it did not even occure to me that the OpenVPN version might have caused the difference.....but it certainly makes sense.

Once again,  thankyou for publishing your instructions.   You were able to make the task possible for us mere mortals! 

I have been lurking in this thread for the solutions from Netgear's firmware upgrade to solve the MD5 issue. After endless wait for their part and looking like there won't be such a postive outcome. So I took the action with the helpful tutorial from Diggie3 and finally sucessfully setup with the proper SHA256 signed certificates.

Here I would like to express my graditude to Diggie3 for setting up such a helpful and details tutorials, eventhough the procedure seems daunting, but with such details in explanations and the many helpful pictures attached. I was in no time come into any difficulty at all. Eventhough it took me quite few hours, and take breaks in between to digest the different stages of the operations :) At the end. it all come good with the new OPENVPN server function like before but with the new certificates.

Once again I like say as many thanks as i could to Diggie3 for your helps here. I advise those who still are sitting at the fence to wait for Netgear's team for the solution to give it a try.

Thanks Diggie3 for putting together that comprehensive manual!   I haven't tried it yet, though. :(   I have a back-up OpenVPN setup on a Raspberry pi if Netgear doesn't follow through by April 30. Not being critical, but just FYI I did notice on Page 15 that although I see a copy command on the screen grab of the screen, it is not listed in the list of commands in the text.

WONDERFUL directions! Thank you. My Nighthawk 7000P now functions as a VPN server. I experienced three changes from your directions.

1. Section 3.e.2 - instead of dh4096.pem, my file was named dh2048.pem.

2. Section 7.c

• My client.ovpn file needed to have one line added to it at the end -- "remote-cert-tls server" (without the quotes). This prevents man-in-the-middle attacks. The OpenVPN 2.4.5 client will not connect without this line added. Since client.ovpn is a protected file, you will need to open notepad in "admin" mode to edit it.
• Consider adding instructions on how to download the client files to iPhone and android. 

          For iPhone - Connect iphone to PC via charging cable. Open iTunes 12.x. Click on the iPhone icon below the "Controls" icon. Under "Settings," click on "File Sharing." Click on the OpenVPN icon to the right. Select "Add File...". Add ca.crt, client.crt, client.key and client[x].ovpn. Select "Open". Select "Sync". Select "Done".

---

jrsalamo wrote:

WONDERFUL directions! Thank you. My Nighthawk 7000P now functions as a VPN server. I experienced three changes from your directions.

 

1. Section 3.e.2 - instead of dh4096.pem, my file was named dh2048.pem.

2. Section 7.c

• My client.ovpn file needed to have one line added to it at the end -- "remote-cert-tls server" (without the quotes). This prevents man-in-the-middle attacks. The OpenVPN 2.4.5 client will not connect without this line added. Since client.ovpn is a protected file, you will need to open notepad in "admin" mode to edit it.
• Consider adding instructions on how to download the client files to iPhone and android. 

          For iPhone - Connect iphone to PC via charging cable. Open iTunes 12.x. Click on the iPhone icon below the "Controls" icon. Under "Settings," click on "File Sharing." Click on the OpenVPN icon to the right. Select "Add File...". Add ca.crt, client.crt, client.key and client[x].ovpn. Select "Open". Select "Sync". Select "Done".

 

---

Thanks!

The OpenVPN server of my Tomato router (not NETGEAR) also need the client ovpn file to add the line "remote-cert-tls server" for successful connection.

Diggie3 - Thank you very much for the information provided in the guide.  I was able to follow the steps and update my R7000.  

Just wanted to share some information I found during my process in hopes someone else doesn't have to struggle through the frustration I experienced.  

I followed all of the steps without issue until I reached step 2b:  Connect to the router.  No matter what I did, I was unable to connect via Telnet.  The step 1h: Enable Telnet, returned the message Sent Telnet enabled payload to '192.168.0.1', it would appear that it was successful but no Telnet connections were accepted. 

It took some time to figure it out, but it seems there was an issue with my choice of password and the enable script.  I use a long, complex password to secure my router's admin account.  For kicks I changed it to something short and simple, sent the payload again, and was able to connect via Telnet.  

If you use a long and/or complex password for your account, and are unable to connect via Telnet after sending the payload in step 1h, you may consider temporarily changing your password to something simple during this process then resetting it back to your desired choice once complete.

Just followed the excellent guide on my R7000.  However, when I export the certificates from the VPN settings on the router - they are still the old ones.  Which is odd, since they should have been overwritten in the last step (when unzipping newkeys.zip).  Last step appeared succesfully and then rebooted, but even after reboot - still retrieving the old certs from the portal.