NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Netgear R7000 and OpenVPN for Android App
Hi, since last OpenVPN for Android App update (v.0.6.73) downloadable at the following link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn OpenSSL version was upgraded to 1.1 and...
Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.
Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:
If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.
has anyone tried the most recent hot fix. it lists Security
R7000 Firmware Version 1.0.9.26 - Hot Fix
Bug Fixes:
- Fixes the Wi-Fi disconnect issue caused by a flood of broadcast traffic.
- Fixes security issues.
https://kb.netgear.com/000053870/R7000-Firmware-Version-1-0-9-26-Hot-Fix
It always lists security. It's completely f***ing meaningless since NG won't say what security issues they addressed and thus you also can't know which they did not address.
Worst. Release notes. Ever.
They should be ashamed. No company serious about security would do this.
Worst. Release notes. Ever.
They should be ashamed. No company serious about security would do this.
Firmware Version V1.3.0.20_10.1.1
I've seen no changes to the VPN config page, and the old certs still work.
- I'll try to get my instructions up this weekend. Sorry, I've been busy with work and I just gave up dealing with the router the past few weeks since NG took so long to address the firmware stability, I lost interest.
Hi !
As this seems like a big issue for everyone, it would be great if you could post the steps, even in a basic form and not detailed as much.
I'm a networking guy myself and I will find the time to take this and turn it into a guide. just give me the bare minimum.
thanks!
R7000P Firmware Version V1.3.0.20_10.1.1
I received a phone call from Netgear L2 Expert support.
The change in OpenVPN certs has been accomplished for some Netgear routers, and will be finished for the R7900P before the drop dead date for Android OpenVPN.
I asked which routers had already been updated, and she couldn't tell me.
My R7000P Firmware Version V1.3.0.20_10.1.1 has a 2018-01-23 15:12 R7000P-V1.3.0.20_10.1.1.chk
I looked at the opensource download, and it has a 2018-02-15 10:16:03 V1.3.0.10_1.2.2_gpl, so there is something newer underway.It still has an MD5 ca.crt, though.
- That's interesting. As a status update, I have spent many hours this week already writing a guide, I have to fit it in around work/life. I hope to have something up here in the next few days.
I submitted an email support request to Netgear yesterday asking when they plan to release a new firmware with an updated OpenVPN server build that uses SHA256 instead of MD5 signing algorithm, but I've yet to receive any useful info.
It is hard for me to understand why it is so difficult to change the encryption method?
It seems all VPN servers except NG OpenVPN have different options for encryption.
I'm looking forward to see if I can update my R8500 with your method. I have telnet enabled.
Are you by chance loading your certificates via the hidden page? http://192.168.1.1/OPENVPN_hidden.htm
looks like the certificates are stored in /usr/temp/openvpn
files are: ca.crt client.crt client.key dh1024.pem server.crt server.key
There may also be an easier way to enable telnet from the chek box at http://192.168.1.1/debug.htm
This looks very promising, why is this page hidden?
- Hi,
Please see attached. I hope it works for you, but it is 100% at your own risk.
It has honestly been exhausting putting this together so I hope NG will automate replacing keys through the UI in future. - Thank you for posting the fix! Hopefully I can try it out next weekend
I can confirm that step 1 can be avoided (R8500) by going to http://192.168.1.1/debug.htm and select "Enable Telnet "
Can anyone else confirm that telnet can be enabled this way ?
- NG_Guru: I'm open to writing in some shortcuts as long as it doesn't complicate the flow. I do know the magic packet has been around for years on all models/firmwares.
I'd love to hear from anyone who managed to replace their keys successfully so I know I didn't write in any major errors. I found a couple of insignificant typos I'll fix later in a 1.0.1 version.
Cheers, and good luck. Very nice instructions!
I was able to update my NightHawk R8500 using these instructions.
For me the hardest part would have been creating the keys. Your directions were right on!
I verified old keys are dead and new keys are working.
My R8500 is hardware Ver1 and Firmware Version V1.0.2.116
Diggie3wrote:
Hi,
Please see attached. I hope it works for you, but it is 100% at your own risk.
It has honestly been exhausting putting this together so I hope NG will automate replacing keys through the UI in future.
Hi Diggie3,Thank you very much for your useful instruction!
For my R6220 router with Firmware Version V1.1.0.64_1.0.1, I can enable telnet by select the option in http://192.168.XX.1/debug.htm.
However, the files in the directory /tmp/openvpn of your instructions are:
ca.crt
client.crt
client.key
dh1024.pem
server.crt
server.keyIn my R6220 router, the files are:
ca.crt
ca.key
client.crt
client.csr
client.key
dh1024.pem
dh2048.pem
openss1.cnf
server.crt
server.csr
server.key
varsMore files found in the mentioned directory. Do you have any idea about the other files? Especially there are 2 pem files "dh1024.pem" & "dh2048.pem".
NG_Guruwrote:I can confirm that step 1 can be avoided (R8500) by going to http://192.168.1.1/debug.htm and select "Enable Telnet "
Can anyone else confirm that telnet can be enabled this way ?
This also work for my R6220 router. Selecting "Enable Telnet" will enbale the linux telnet server inside the R6220.
- That's interesting.
I'm not at home right now so I can't check my R7000 but one difference seems to be that on your device the OpenVPN configuration seems to be in /tmp/openvpn, whereas on my R7000 it's at a different location.
Can you please follow Step 4, then follow the part of Step 5 that tells you how to transfer the original keys from your router with tftp, but instead of sending originalkeys.zip send openss1.cnf. I would suspect looking at this file will tell us which files the router is really going to use. It might also be interesting to inspect "vars". Please check they have no confidential information before posting them, or send me links in a direct message.
It looks like some of those files are certificate signing requests that perhaps NG left on the device but I suspect don't actually need to be there (though you should leave them alone). ca.key probably is supposed to be on the key signing machine only so assuming your router is never signing new keys itself (afaik my R7000 doesn't) that probably isn't necessary either.
Diggie3wrote:
That's interesting.
I'm not at home right now so I can't check my R7000 but one difference seems to be that on your device the OpenVPN configuration seems to be in /tmp/openvpn, whereas on my R7000 it's at a different location.
Can you please follow Step 4, then follow the part of Step 5 that tells you how to transfer the original keys from your router with tftp, but instead of sending originalkeys.zip send openss1.cnf. I would suspect looking at this file will tell us which files the router is really going to use. It might also be interesting to inspect "vars". Please check they have no confidential information before posting them, or send me links in a direct message.
It looks like some of those files are certificate signing requests that perhaps NG left on the device but I suspect don't actually need to be there (though you should leave them alone). ca.key probably is supposed to be on the key signing machine only so assuming your router is never signing new keys itself (afaik my R7000 doesn't) that probably isn't necessary either.Sure, I will try my best to get all the mentioned information. If possible, I will get all these files and attached.
It may need couples of days because I am not familiar with the operation of tftp files transfer.
Anyway, thank you very much for your attention.
- No problem. Following those guide steps should give you all you need to enter the tftp commands, but another way is to type,
cat openss1.cnf
cat vars
This will dump their contents into the console, so it's a bit messy but you could then copy/paste.
Diggie3wrote:
No problem. Following those guide steps should give you all you need to enter the tftp commands, but another way is to type,
cat openss1.cnf
cat vars
This will dump their contents into the console, so it's a bit messy but you could then copy/paste.Sorry, I have made a mistake. The file name should be "openssl.cnf" instead of "openss1.cnf".
The text content of "openssl.cnf", "vars", "dh1024.pem" & "dh2048.pem" is attached in a single PDF file.
Diggie3wrote:
That's interesting.
I'm not at home right now so I can't check my R7000 but one difference seems to be that on your device the OpenVPN configuration seems to be in /tmp/openvpn, whereas on my R7000 it's at a different location.
Can you please follow Step 4, then follow the part of Step 5 that tells you how to transfer the original keys from your router with tftp, but instead of sending originalkeys.zip send openss1.cnf. I would suspect looking at this file will tell us which files the router is really going to use. It might also be interesting to inspect "vars". Please check they have no confidential information before posting them, or send me links in a direct message.
It looks like some of those files are certificate signing requests that perhaps NG left on the device but I suspect don't actually need to be there (though you should leave them alone). ca.key probably is supposed to be on the key signing machine only so assuming your router is never signing new keys itself (afaik my R7000 doesn't) that probably isn't necessary either.I am interesting why you are curious about the location of OpenVPN configuration file (/tmp/openvpn) of my R6220 router? Actually, I followed the instruction in page 32 & 33 of your provided PDF. It also stated that we can find the configuration files in "tmp/openvpn".
It will be a problem for me since there are 2 pem files (dh1024.pem & dh2048.pem) I have insufficient knowledge to know which one the the correct Diffie Hellman parameters!
Pls let me know if you need more information of the files found in my Netgear R6220.
Thanks again.
- Please be careful which files you post, you should not post your dh params. Fortunately we are working on replacing those ;)
Okay so the files you posted (openssl.cnf and vars) are part of the easy rsa scripts to generate the original keys. I would continue to guess that unless the router itself was generating keys, which I doubt, they don't really need to be there, and we should just ignore them.
Try these commands:
cat /tmp/server_tap.conf
cat /tmp/server_tun.conf
On my R7000 the first few lines of each output will show the dh file that OpenVPN server is using.
You can probably also type this to verify which conf files are in use:
ps | grep openvpn
Unfortunately, at least on my R7000, /tmp itself stored on part of a file system that is not updatable (you can write to it but when you reboot your changes will most likely be gone). This leaves us only able to update the keys and not the OpenVPN configs themselves. If NG engineers wanted to be friendly and helpful us fix more problems ourselves in future they could think about making more writable overlays :)
Diggie3wrote:
Please be careful which files you post, you should not post your dh params. Fortunately we are working on replacing those ;)
Okay so the files you posted (openssl.cnf and vars) are part of the easy rsa scripts to generate the original keys. I would continue to guess that unless the router itself was generating keys, which I doubt, they don't really need to be there, and we should just ignore them.
Try these commands:
cat /tmp/server_tap.conf
cat /tmp/server_tun.conf
On my R7000 the first few lines of each output will show the dh file that OpenVPN server is using.
You can probably also type this to verify which conf files are in use:
ps | grep openvpn
Unfortunately, at least on my R7000, /tmp itself stored on part of a file system that is not updatable (you can write to it but when you reboot your changes will most likely be gone). This leaves us only able to update the keys and not the OpenVPN configs themselves. If NG engineers wanted to be friendly and helpful us fix more problems ourselves in future they could think about making more writable overlays :)Many thanks for your quick reply!
The 2 files cannot be found in the specified directory.
/tmp/server_tap.conf
/tmp/server_tun.confAfter executing the command "ps | grep openvpn", the follow result found in the screen:
4685 root 1520 S grep openvpn
7189 root 3904 S /usr/sbin/openvpn --config /etc/server.conf
7191 root 4196 S /usr/sbin/openvpn --config /etc/server_phone.conf- Okay, your router seems to be significantly different.
Type:
cat /etc/server.conf
cat /etc/server_phone.conf
That'll let you see your OpenVPN configs.