NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
RS700 VPN Service certs incomplete?
I've been setting up NoIP and the VPN Service on my RS700. I'm on firmware version V1.0.9.6_2.0.100.
After much tinkering and following much of the helpful advice here, I have a connection that works. However, I am getting this error in the log, which I have seen others post about but update the firmware seems to be the solution(?). I'm on the latest firmware.
Thu Oct 23 17:12:39 2025 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
When I add remote-cert-tls server to my .ovpn file, which in my understanding is good practice to include, my connection fails:
Thu Oct 23 17:15:09 2025 Certificate does not have key usage extension
Thu Oct 23 17:15:09 2025 VERIFY KU ERROR
I've stopped started the VPN Service multiple times, re-copied the config files etc but can not get the connection working with remote-cert-tls server in my .ovpn file.
The certificate provided by the router seems to be missing the necessary Key Usage (KU) flags.
How do I fix this, please?
17 Replies
Just checking to see if you have updated FW to check this?
Nighthawk Firmware Releases | NETGEAR Communities
Thanks for checking, yes, I'm on firmware version V1.0.9.6_2.0.106. I updated fw again this AM, as I noticed a very recent new version, and reconfigured openvpn and downloaded config files from the router.
I still get the "Certificate does not have key usage extension" error and the connection fails when I include remote-cert-tls server in my config.
FW version should be v.16 though. Can you confirm this?
The certificate provided by the router seems to be missing the necessary Key Usage (KU) flags.
Are you seeing a section like this in client.crt?
X509v3 Extended Key Usage: TLS Web Client AuthenticationNo. I'm not seeing a section with that header.
No. I'm not seeing a section with that header.
That is why you have the problem.
FWIW, I missed a second relevant line from my client.crt (from an Orbi, not an RS700):
X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital SignatureOnly Netgear can fix this, as adding this text would invalidate the cert's digital signature.
All you can do for now is remove remote-cert-tls server.
If you learn something useful and are allowed to 'share', please update the conversation.
I notice the same WARNING about certificate verification method when using OpenVPN with my ancient Orbi system. (Opened a VPN connection just now)
I wonder if this could be a situation similar to the frustration we all experience with modern web browsers issuing similar warnings about the web interface of the router itself. i.e.
- If we connect using http, browsers warn UNSAFE, because by definition http is not encrypted and thus "unsafe".
- If we connect using https, browsers warn UNSAFE, because the SSL certificate is self-signed and thus there is no "God Like" certificate authority guaranteeing that this SSL certificate belongs to the organization claiming it.
These warnings, of course, overlook the plain fact that WE deliberately CHOSE which web site for the connection (our own router, on our network). We did not get a link from some site on the internet or from a suspect email.
In a sense, our use of OpenVPN is similar. WE chose to open a connection to this specific IP address (or DDNS address) and we are exchanging Keys that WE created using OpenVPN on our router.
For YEARS, I have simply ignored that OpenVPN warning when using OpenVPN. If there is a simple method to (a) make the warning disappear and (b) improve security, I'm all for it.
