NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

secureWannaB's avatar
secureWannaB
Tutor
Mar 03, 2017
Status:
Reviewed

VPN improvements: Stronger encryption and multi-user authentication

1. Looks like it's using SHA1 which is obsolete:

 

Fri Mar  3 07:54:22 2017 us=826132 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri Mar  3 07:54:22 2017 us=826220 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar  3 07:54:22 2017 us=826266 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri Mar  3 07:54:22 2017 us=826311 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WFri Mar  3 07:54:22 2017 us=826456 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

 

I'm glad you're using TLS1 and AES, but I'd expected SHA1 would have been retired years ago.  SHA2 is the new minimum.  Actually, if you want these devices to last, I would think you'd go for the maximum that clients are likely to support, since today's maximum becomes the minimum in 2-5 years.

 

2. There is no way to specify different users for the VPN.  Presumably anyone with the zip file of certificates can connect to this VPN.  If there were multiple users and a key were compromised, we could shut down that user and keep using the VPN.  But with this router, there's only one VPN "user".  Maybe multiple people can use that at once, but if the certificate/key were ever exposed, I think our only secure recourse would be to get a new router.

 

I understand that this is a home router, so maybe having a VPN at all is an afterthought - most people only care about an easy setup and fast routing.  But even dd-wrt has a facility to create multiple VPN clients, each with a different password:

https://www.howtogeek.com/51772/how-to-setup-a-vpn-server-using-a-dd-wrt-router/

 

I guess I had expected some way to manage VPN clients.

4 Comments

  • William10a's avatar
    William10a
    Master
    Mar 05, 2017

    That's the problem why a old standard that is no longer safe is still around but the people could force a change are the one's who buy the networking equipement  and speak with their money. I agree that when a person buy's a router for their home are not looking pass the shining picture of the router and all the bells and whistles that are listed and fill every free spot on the box little do they realiize what is missing from the total package until it is too late.

  • AbhayB's avatar
    AbhayB
    NETGEAR Employee Retired
    Sep 08, 2017
    Status changed:
    Unspecified
    to
    Reviewed
  • 0a774ee136's avatar
    0a774ee136
    Novice
    Dec 25, 2017

    To expand on this: I would like to see configurable SSL certificates. In other words, I do not trust (nor should I) the out of the box certificates used by the VPN service on the router. Please implement a facility for configuring the SSL certificates in addition to managing authentication as someone suggested above.

     

    To take this a step further, implementing two-factor authentication would be ideal where a user could configure their smartphone as the second factor - something that utilizes the standards implemented in the Microsoft and Google Authenticator apps would be a modern way to accomplish this.

     

    VPN's are becoming more common in the consumer market - IoT devices such as security cameras, thermostats and even lightbubs can't be trusted on the open internet thus a secure method of remote management is needed (how else are you going to turn up the heat before you get home?).

     

    A use case I saw recently was someone port forwarding through the firwall/router right to a camera. The camera did not implement SSL on its browser-based management interface so not only was this insecure device available on the public internet, login credentials (which were likely factory default) were sent unencrypted. Configurations like these are trivial to "hack" and must be avoided at all costs.

     

     

  • Nadicek's avatar
    Nadicek
    Tutor
    Feb 15, 2019

    Definetely makes sence! It would be a lovely feature which would ease use of OpenVPN on the Netgear routers I guess ASUS already has it available in the GUI (I guess it can be made easily available even on Netgear devices, since it is running Linux anyways,  but GUI webpage needs to developed and linked with the Linux utilities....).

     

    I would be quite happy with this feature subset (on r6400v2 :) :) )

    - feature to upload certificates/keys for the router/VPN from GUI

    - feature to upload and manage certificates and keys for the clients from GUI

    **** OPTIONAL **** certificate/key generation on the router (somebody/?most folks? would anyways use 3rd party generated certs/key, so certificate/key generation on device would not help them such)

     

     

    Fingers crossed and Cheers