NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Morganino's avatar
Morganino
Tutor
Jun 26, 2017
Solved

Netgear R7000 and OpenVPN for Android App

Hi, since last OpenVPN for Android App update (v.0.6.73) downloadable at the following link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn OpenSSL version was upgraded to 1.1 and...
Features
Firmware
Netgear router tech support number 1-844-330-2330 Netgear router support phone number Netgear router tech support phone number Netgear tech support phone number
Security
  • Diggie3's avatar
    Diggie3
    Feb 28, 2018

    Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.

     

    Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:

     

    http://192.168.1.1/debug.htm

     

    If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.

katsaw's avatar
katsaw
Guide
Mar 02, 2018
Diggie3wrote:

Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.

 

Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:

 

http://192.168.1.1/debug.htm

 

If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.

Hi Diggie3,

 

Unfortunately the result for my R6220 is negative.  I completed all the procedures described in your instructions and reboot the router.  After robooting, OpenVPN cannot be connected by using the new certificate but the old certificate still function properly instead.

 

By enabling telnet thru’ “192.168.xx.1/debug.htm” again, I found that all the files under the directory “/tmp/openvpn” have been restored to the originals.  The newly added files “originalkeys.zip” & “newkeys.zip” during the procedures have been removed.

 

It seems R6220 router only stored the files to /tmp/openvpn temporary but have other true location to store the actual certificates.

 

Also, every reboot will clear the setting of “enable telnet”.

 

During the discussion to this post in this week, the router have not been rebooted.  Therefore I have just discovered this fact yesterday.

 

Remark: I have checked the updated files in “/tmp/openvpn” by “cat” command before rebooting”, all the 6 mentioned files should have been updated.

Diggie3's avatar
Diggie3
Luminary
Mar 02, 2018

katsaw You could try this:

 

cat /proc/mounts

 

Here's some output from the R7000:

 

/dev/mtdblock18 /tmp/openvpn jffs2 rw,relatime 0 0

 

The reason we can update the keys is that /tmp/openvpn is a read-write jffs2 filesystem, which is a compressed, non-volatile file system. That was a smart move on Netgear's part. See if you have something similar. The R7000 also has /tmp/media/nand of this type, but there's no OpenVPN content there on the R7000, and I don't know how safe it would be to modify that one (I haven't tried).

  • katsaw's avatar
    katsaw
    Guide
    Mar 02, 2018
    Diggie3wrote:

    katsaw You could try this:

     

    cat /proc/mounts

     

    Here's some output from the R7000:

     

    /dev/mtdblock18 /tmp/openvpn jffs2 rw,relatime 0 0

     

    The reason we can update the keys is that /tmp/openvpn is a read-write jffs2 filesystem, which is a compressed, non-volatile file system. That was a smart move on Netgear's part. See if you have something similar. The R7000 also has /tmp/media/nand of this type, but there's no OpenVPN content there on the R7000, and I don't know how safe it would be to modify that one (I haven't tried).


    Thanks for your prompt reply!

     

    Here it is:

     

    # # cat /proc/mounts

    rootfs / rootfs rw 0 0

    /dev/root / squashfs ro,relatime 0 0

    ramfs /dev ramfs rw,relatime 0 0

    proc /proc proc rw,relatime 0 0

    none /tmp ramfs rw,relatime 0 0

    none /media ramfs rw,relatime 0 0

    none /sys sysfs rw,relatime 0 0

    none /proc/bus/usb usbfs rw,relatime 0 0

    devpts /dev/pts devpts rw,relatime,mode=600 0 0

    /dev/sda1 /tmp/mnt/shares/U vfat rw,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp950,iocharset=utf8,shortname=mixed,errors=remount-ro 0 0

    #

  • Diggie3's avatar
    Diggie3
    Luminary
    Mar 03, 2018
    A couple of updates:

    1- Forum user pyrmont has created a set of instructions for Linux users. You can read that here:
    http://articles.inqk.net/2018/03/02/netgear-openvpn-keys.html

    2- katsaw and I did some more investigation of the R6220 model. The outcome is:

    a) I don't think it's possible to update the keys on the R6220 using the same technique as for the R7000. Other methods might exist, but I'm not familiar with them and I have no way to research it.

    b) I would recommend R6220 owners disable the OpenVPN server, and if they really need to run a VPN server either to look into third-party firmware or a newer model of router.