NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256
I am unable to connect to my Netgear R6700v2 VPN using my android device becasue the certificate my router generates is still using MD5 when services started requiring SHA256. MD5 has been known to b...
Hi All,
A firmware is released for R6700v2 that will support the new OpenVPN certificate.
https://kb.netgear.com/000059475/R6700v2-Firmware-Version-1-2-0-24
Regards,
Blanca
Community Team
Hello JamesGL
Back on February 5th you wrote:
"NETGEAR is already aware of MD5 certificate which will no longer work by April. NETGEAR will release a new certificate before the deadline."
The deadline is now 2 days away..... What should we expect? Is there going to be an update or not? If not, I am going to be very disapointed. I purchased this router explicitly for the VPN function.
Hardware Version R7000
Firmware Version V1.0.9.26_10.2.31
Ahem. Yeah, I'm sitting here, too, watching the clock tick away. A few things:
1. The software I'm using an Android to connect with the R6700v2 is, from the suggestions in the Netgear help files, is OpenVPN Connect. I should not that for all the "Open" words in there this is a commercial company that is attempting to monetize what appears to be an open source package.
2. It was this package that initially was complaining that Netgear's use of MD5 was a Bad Idea and that in a short time the OpenVPN Connect software would cease to support Netgear's use of that function. I should note that before using OpenVPN Connect I tried a couple of other OpenVPN clones.. to no avail. Maybe I'm just stupid, or there's something in particular about OpenVPN Connect and Netgear's implementation that made the two connect. As in, they have a contract. That's a suspicion, not straight knowledge.
3. About a month after this thread was created there was an update to OpenVPN Connect. Besides a switched-around UI, the main "feature" is that the updated OpenVPN Connect no longer complains about the use of MD5 on every start. However, the help link puts one on an OpenVPN site that still says that MD5 will be depreciated as of May 2018, giving "older equipment" a chance to get changed over to something more secure. However, I have to wonder: Was the suppression of the MD5 warning message due to somebody at Netgear giving OpenVPN a call?
4. I joke about it, but I definitely wear a tin-foil hat. Because sometimes the bad people really are out to get you. In particular, both the FBI and NSA have stated multiple times that they fear the world "going dark"; that is, more difficult for them to capture data. In particular, the NSA has been capturing all the data, all the time, on all the trunks going through AT&T and other major long-haul providers, and, in particular, capturing encrypted data. The claim is that this pretty-much-illegal act is OK so long as they only "select" data upon which they search, and those selectors are under the aegis of FISA court warrants. You know, the ones that come with gag orders, the court and its ruling being about 99 44/100ths pure secret.
It's no surprise that these people hate VPNs with a raw passion because, just like bad guys use telephone networks (which the three-letter agencies monitor and capture), they use encryption and VPN's, too. So, this slow-move from Netgear.. Is this because some gag-ordered warrant demands that they backdoor consumer VPNs with obsolete, easily breakable VPN software? With the same key used across multiple routers?
If so, that's not good. And it's worse, really: Crooks like money. They like lots of money even more than that. And they have a slightly modified desire than the three-letter agencies: They don't want to capture it all; they want to capture the financial details so they can rob people, prefereably on masse. And if VPNs with Netgear are easily broken by the NSA, they can certainly be broken by crackers with $$$ in their eyes. All you need is somebody who happens to use the same password, in the clear, for their bank accounts somewhere, too. And if you don't think crackers have access to major network routers and pass points, then you haven't been paying attention.
5. Of course, all this aluminum foil hat stuff may be complete BS. It may be very much simpler: Netgear is playing IoT (Internet of Things) follies. This argument goes along the line of Netgear making its money by selling hardware; the software is there to make sure the hardware is sold. Once the hardware is out the door, any desire for updated software is muted by the desire to Not Spend Money Doing That. Unless one is still selling that hardware, in which case a competitive disadvantage may be occur, thus causing a little more development bucks being spent.
This is the reason that things like commercial grade routers with no effective software support are lumped with IoS (Internet of S**t) objects, like refrigerators and the like. The lack of an update may simply be that Netgear has unofficially abandonded the v2 version of the R6700, with the famous, "Screw You!" that businesses like to do. They got your money, what are you going to do?
With many commercial routers that use Open Source software, like the R6700v2, a user community effort helps with that: DD-WRT, Tomato, and others are out there, get regular updates, and support VPNs. But from what I hear no effective support has appeared for the R6700v2, which makes Netgear's apparent approach much, much worse for all the punters left holding the bag with their IoS hardware.
Netgear: Please respond and give some indication that you're working to fix this router's VPN server software. Really, the UI and all that is superior, and it works. If no indication is coming.. You may find yourself on the pages of Arstechnica sooner than later.
KBeck
NG folks have been on these threads, it is clear someone in NG knows about the problem. However, for whatever reason they have not been able to put enough resources on the problem to get a fix out. The simplist explination is probably the correct one: It is a low priority for them. :-( I seriously doubt it is any sinister conspiracy with the goverment.
I spent many years in a large consumer electronics company and I am confident it is going something like this:
- The support folks are all asking the Dev folks to build a fix.
- The dev folks have this task on a long list of things that they have to prioritize. Consequently they have either not finished a fix or not gotten to it. (Lets face it, the % of their customers for this product that use VPN is really low)
It is very likely that no one in NG has explicitly said "we won't fix it", but it is also likely that the priority is low enough that it will not get fixed anytime soon (if ever). As others have pointed out, they already have our money. The only cost to NG of not fixing it is 1) Support calls and 2) the potential lost sales due to a bad reputation. Consequently, when the dev team has to decide between working on the new product or fixing the old product.... the existing customer needs can easilly get left out.
As long as they are still selling the product, there is a reasonable likelyhood they will eventually address this issue and make the 'fix' available to the current users. Unfortunatly, one way they could decide to fix the issue is to quit saying they support VPN. If they do that, it *is* an explicit decision to not to provide a patch. (The good news is that 1) marketing people always *hate* to give up a feature and 2) it might be easier for them to put out a fix than it is to change all of their documentation, and packaging)
The only place we (the consumers) have any real power is our ability to impact their reputation. With the modern internet, we have the ability to educate others about the lack of support (How costly to NG is a bad review of a NG product on Amazon?)......and that has the possibility of getting their attention due to the fear of loosing sales.
I really hope that NG comes through and we don't have a need to exercise that power.
You're probably right. In anycase, Netgear is loosing me as a customer. They should consider what amount of lifetime value thier customers have...
pthorvald wrote:
NG folks have been on these threads, it is clear someone in NG knows about the problem. However, for whatever reason they have not been able to put enough resources on the problem to get a fix out. The simplist explination is probably the correct one: It is a low priority for them. :-( I seriously doubt it is any sinister conspiracy with the goverment.
I spent many years in a large consumer electronics company and I am confident it is going something like this:
- The support folks are all asking the Dev folks to build a fix.
- The dev folks have this task on a long list of things that they have to prioritize. Consequently they have either not finished a fix or not gotten to it. (Lets face it, the % of their customers for this product that use VPN is really low)
It is very likely that no one in NG has explicitly said "we won't fix it", but it is also likely that the priority is low enough that it will not get fixed anytime soon (if ever). As others have pointed out, they already have our money. The only cost to NG of not fixing it is 1) Support calls and 2) the potential lost sales due to a bad reputation. Consequently, when the dev team has to decide between working on the new product or fixing the old product.... the existing customer needs can easilly get left out.
As long as they are still selling the product, there is a reasonable likelyhood they will eventually address this issue and make the 'fix' available to the current users. Unfortunatly, one way they could decide to fix the issue is to quit saying they support VPN. If they do that, it *is* an explicit decision to not to provide a patch. (The good news is that 1) marketing people always *hate* to give up a feature and 2) it might be easier for them to put out a fix than it is to change all of their documentation, and packaging)
The only place we (the consumers) have any real power is our ability to impact their reputation. With the modern internet, we have the ability to educate others about the lack of support (How costly to NG is a bad review of a NG product on Amazon?)......and that has the possibility of getting their attention due to the fear of loosing sales.
I really hope that NG comes through and we don't have a need to exercise that power.
I dunno. The UI on this router's fine; built-in instructions on how to get the whole VPN business set up and running were pretty clear.There's weirdnesses involved with the DNS-to-IP stuff, but it still appears to be a freebie, not bad.
My personal opinion is that over time, more and more people are going to use these VPN services because, well, the world is becoming a hairier place.
Maybe there's another solution for Netgear on this router. Or maybe most of their consumer grade routers: Publish enough of the code so that the mavens over a DD-WRT can take a stab at it; or even assign somebody full-time, so they can make 0.9 revs of DD-WRT available for the download, rather than the Netgear-specific load. A double win: They don't have to support the old software any more and their gear ceases to be an issue with random security updates on Linux-based routers. The only downsides I can see would be two-fold: 1) The DD-WRT stuff would compete with new routers (i.e., people wouldn't ditch the old stuff due to insecure/buggy software like they do now); and 2) they'd have to hire or repurpose somebody to be the DD-WRT maven. But it might actually end up as a staff reduction; they wouldn't have to scurry quite as much chasing major security bugs.
One of the reasons I ditched the Netgear WNDR-3700v2 I used to have was that it didn't have the horsepower/thruput to do streaming and it didn't have the stability to do VPN in the first place. And, yeah, it died of old age. People will still buy Netgear - if they can keep the support going. And maybe putting the support on DD-WRT and the like would be the leg up they need to expand.