NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

ncazer's avatar
ncazer
Tutor
Jan 19, 2018
Solved

R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

I am unable to connect to my Netgear R6700v2 VPN using my android device becasue the certificate my router generates is still using MD5 when services started requiring SHA256. MD5 has been known to b...
Firmware
vpn sha256 md5 firmware update
ncazer's avatar
ncazer
Tutor
Apr 30, 2018

You're probably right. In anycase, Netgear is loosing me as a customer. They should consider what amount of lifetime value thier customers have...

 

pthorvald wrote:

NG folks have been on these threads, it is clear someone in NG knows about the problem.     However, for whatever reason they have not been able to put enough resources on the problem to get a fix out.      The simplist explination is probably the correct one:    It is a low priority for them.  :-(    I seriously doubt it is any sinister conspiracy with the goverment.   

 

I spent many years in a large consumer electronics company and I am confident it is going something like this:

  1.  The support folks are all asking the Dev folks to build a fix.    
  2.  The dev folks have this task on a long list of things that they have to prioritize.    Consequently they have either not finished a fix or not gotten to it.    (Lets face it,  the % of their customers for this product that use VPN is really low)

It is very likely that no one in NG has explicitly said "we won't fix it", but it is also likely that the priority  is low enough that it will not get fixed anytime soon (if ever).    As others have pointed out, they already have our money.    The only cost to NG of not fixing it is 1) Support calls and 2) the potential lost sales due to a bad reputation.  Consequently, when the dev team has to decide between working on the new product or fixing the old product.... the existing customer needs can easilly get left out.

 

As long as they are still selling the product,  there is a reasonable likelyhood they will eventually address this issue and make the 'fix' available to the current users.    Unfortunatly, one way they could decide to fix the issue is to quit saying they support VPN.    If they do that, it *is* an explicit decision to not to provide a patch. (The good news is that 1) marketing people always *hate* to give up a feature and 2) it might be easier for them to put out a fix than it is to change all of their documentation, and packaging)

 

The only place we (the consumers) have any real power is our ability to impact their reputation.    With the modern internet, we have the ability to educate others about the lack of support (How costly to NG is a bad review of a NG product on Amazon?)......and that has the possibility of getting their attention due to the fear of loosing sales.

 

I really hope that NG comes through and we don't have a need to exercise that power.    

 

 

 

 

 

  • KBeck1234's avatar
    KBeck1234
    Initiate
    Jun 26, 2018

    Blanca_O & Co.:

    Thank you! Have successfully downloaded the new firmware, updated the VPN software, got the new client, and it works. The Open VPN logs on my cell show no trace, as far as I can tell, of the MD5 problem. Given the length of time it's taken, I was half-convinced I was going to ditch this router and go to a competitor: Kudos for taking the time out to get this thing fixed.

    A couple of comments from the upgrade attempt, for possible changes to your FAQ on the subject and a Warning To Others :).

    1. Got onto the router home page and it immediately notified that there was an update. Two different spots on the router page lit up with an invitation to "get the update". Clicking on either leads to a progress bar indicating a download.. But this eventually clears with a message of, "No update available", indicating, shall we say, a bug we drive a truck through in the built-in update method :smileyhappy:. This was fixed by actually reading the FAQ (horrors) where it says to download the file onto one's PC from netgear, unzipping said file, then updating by hitting the "browse" button on the router web page, locating the unzipped .img file, and selecting that. It ran.
    2.  Next: Up popped this nifty message stating "<<Attention>> A new OpenVPN configuration package for your router is available that enhances your router’s security. You must update the OpenVPN configuration package for your router. Once the OpenVPN configuration package is updated, you must update the OpenVPN configuration package on all your clients; otherwise, your clients won’t be able to access your router using the VPN feature.". Cool, that's what we want, un updated OpenVPN configuration package. Hit the button on this one.. and waited... and waited... and waited... and waited. Fifteen minutes later, figured, "This ain't gonna work", went to the router ip address and logged on again. Went to the VPN service page and downloaded the new package for a Smart Phone, put it on the Smart Phone, and then discovered that the Android OpenVPN client doesn't make it highly obvious how to delete an old profile. After stooging around a bit and deleting the original OpenVPN configuration files and such, managed to delete the old profile, load the new one, and, ta-da, it worked. Also: If one hasn't refreshed the Dynamic DNS, one should do so. Conclusion: There's a bug in the VPN package update that doesn't actually do a progress bar successfully, leaving users in the lurch. Fix it, please?

    In any case, Thank You Gentlepeople Very Much for updating this router.

     

    • Blanca_O's avatar
      Blanca_O
      NETGEAR Employee Retired
      Jun 26, 2018

      Hi KBeck1234, 

       

      Thank you for sharing the result. I am very pleased of the update. 

       

      Regards, 
      Blanca 
      Community Team