Orbi WiFi 7 RBE973
Reply

Rif.: D7000 OpenVPN Server configuration issue

Kompiler
Aspirant

D7000 OpenVPN Server configuration issue

Hi,

 

I recently purchased a D7000 modem/router (firmware 1.0.1.44) with the hope of being able to access my home security cameras remotely from my Android mobile phone but have had no such luck 😞

 

My home network runs on the 192.168.1.x subnet with the router being 192.168.1.1.

I have enabled the VPN Servce on the D7000 and selected the 'All sites on the Internet & Home Network' option hoping that everything would go through it.

I downloaded the appropriate configuration files and added these to my Android phone and was able to successfully connect to the router. Yay.

 

Unfortunately I am unable to browse any web site nor access the Network Video Recorder (NVR) using the proprietary software on my phone.

 

Looking at the OpenVPN logs it says:

0 [redirect-gateway] [def1] [bypass-dhcp]

1 [route] 192.168.1.1] [255.255.255.0]

2 [route-gateway] [192.168.2.1]

3 [topology] [subnet]

4 [ping] [10]

5 [ping-restart] [120]

6 [ifconfig] [192.168.2.2] [255.255.255.0]

 

Further down it also says:

[192.168.1.1] [255.255.255.0] : tun_prop_error: route is not canonical

 

I'm guessing that the tun_prop_error is the reason for no internet access but cannot find anywhere to specify the correct address? (I have also tested this on an IOS device with exactly the same outcome)

 

The only thing I have been able to access is the routers configuration page at 192.168.2.1. Loading any other web page simply times out.

  

As a secondary question, do I need static routes set up in order to get to the NVR? Since the NVR runs on port 8000, will this work across the VPN?

 

If anyone has any answers for any of these questions I'd love to hear them. Please 🙂

 

Thanks

Komp

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 1 of 40
salopian
Aspirant

Re: D7000 OpenVPN Server configuration issue

I have exactly the same problem. At least now I don't have to look for things I have done wrong. It is either a problem with the router or a setting I don't know of.

Message 2 of 40
DarrenM
Sr. NETGEAR Moderator

Re: D7000 OpenVPN Server configuration issue

You may need to contact OpenVpn for help with these settings or check some of our Kb articles on this.

 

http://kb.netgear.com/app/answers/detail/a_id/23854?cid=wmt_netgear_organic

 

DarrenM

Message 3 of 40
salopian
Aspirant

Re: D7000 OpenVPN Server configuration issue

That link just explains how to set op the VPN link.  My Problem is that when the link is established I cannot access anything on the LAN.

A VPN link from the same device to my NAS works perfectly, so I do know how to set it up.

 

Having read other threads on how insecure Netgears implimentation of VPN is I will not now be using it.

Message 4 of 40
alexls
Aspirant

Re: D7000 OpenVPN Server configuration issue

Same issue.

Model: D7000|Nighthawk AC1900 VDSL/ADSL Modem Router
Message 5 of 40
michele9999
Aspirant

Rif.: D7000 OpenVPN Server configuration issue

Hi Komp,

I too have the same problem. On my 192.168.19.0/24 network, how you, I connected a ip-cam and wanted access to the stream video via vpn from smartphones. Enabled on the router vpn client and imported the appropriate configuration on my smartphone. At tun0 device on smartphones it is assigned ip 192.168.2.2,  ping the router (192.168.2.1) is OK, but I can not ping the ip address on my 192.168.19.xxx network. I too have the same "openvpn" log.

23: 34: 58,790 - EVENT: ASSIGN_IP
23: 34: 58,795 - Error Parsing IPV4 route: [route]
[192.168.19.1] [255.255.255.0]: tun_prop_error: route is not canonical
23: 34: 58,861 - Connected via tun
23: 34: 58,862 - EVENT: CONNECTED
info = '@ .... myurl: 12973 (149.xxx.xxx.xxx)
via / TCPv4 on tun / 192.168.2.2 / '

I tried two smartphones: Honor 7 => Android v. 6.0  and Oppo Find5 => crDroid => Android v 6.0.1.


In my opinion from the server side it is made the command: push [route] [192.168.19.1] [255.255.255.0] prematurely.

 

With which version of Android you have tried?

 

Thanks

Michele

 

 

Model: D7000|Nighthawk AC1900 VDSL/ADSL Modem Router
Message 6 of 40
michele9999
Aspirant

Rif.: D7000 OpenVPN Server configuration issue

process "openvpn" active on my router D7000:

 

 3015 root      3132 S    /usr/sbin/openvpn --config /etc/server.conf
 3017 root      3476 S    /usr/sbin/openvpn --config /etc/server_phone.conf

file /etc/server.conf       ==>  For connect client Desktop Windows, Linux, Apple

 

dh /tmp/openvpn/dh2048.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/server.crt
key /tmp/openvpn/server.key
dev tap0
server-bridge
proto udp
port  12974
keepalive 10 120
verb 5
mute 5
log-append /tmp/openvpn_log
writepid /tmp/openvpnd.pid
mtu-disc yes
topology subnet
cipher AES-128-CBC
auth sha1
tls-server
client-to-client
duplicate-cn
comp-lzo
fast-io
push "route 192.168.19.1 255.255.255.0"

 

file /etc/server_phone.conf   ==> for connected client smartphone

 

dh /tmp/openvpn/dh2048.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/server.crt
key /tmp/openvpn/server.key
dev tun
server 192.168.2.0 255.255.255.0
proto tcp
port  12973
keepalive 10 120
verb 5
mute 5
log-append /tmp/openvpn_log
writepid /tmp/openvpnd.pid
mtu-disc yes
topology subnet
cipher AES-128-CBC
auth sha1
tls-server
client-to-client
duplicate-cn
comp-lzo
fast-io
push "route 192.168.19.1 255.255.255.0"

Ver. openvpn:

 

OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Oct 12 2016
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes
enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown
enable_eurephia=yes enable_fast_install=yes enable_fragment=yes
enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes
enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes
enable_multihome=yes enable_pam_dlopen=no enable_password_save=no enable_pedantic=no
enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes
enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes
enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no
enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no
enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl
with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

 

Link manual openvpn v. 2.3 : https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

 

Best Regards

 

Michele

Message 7 of 40
salopian
Aspirant

Rif.: D7000 OpenVPN Server configuration issue

I never tried an old phone and tablet running Android 4 and a new phone running android 6.

I have also tried from a Windows laptop.They all connect but cannot access the LAN.

I can connect to my Synolgy NAS on the same network with no problem from all devices.

I don't have to use the router so have given up. Next time I buy a router it will be from a manufacturer who can make their equipment work.

The Synology set up was a doddle. Create a certificate and copy it to the device. It just works.

 

Message 8 of 40
michele9999
Aspirant

Rif.: D7000 OpenVPN Server configuration issue

 
Message 9 of 40
michele9999
Aspirant

Rif.: D7000 OpenVPN Server configuration issue

In few day i try to configure openvpn on my server ubuntu. So we understand if the trouble is in the router configuration or in android configuration
Best regards
Mi hele
Message 10 of 40
michele9999
Aspirant

Rif.: D7000 OpenVPN Server configuration issue

Hi ,

 

this evening I completed the openvpn configuration for my ubuntu server, pulling all of commands from the configuration of openvpn on router, of course doing the obvious certificate changes and ip openvpn server. Without even the consequent amendment on the openvpn client configuration, in my case I tried with your smartphone. Tried connecting, everything ok.
I can connect to my server with ip 192.168.2.1, defined as openvpn server, 192.168.19.22 I connect to the server without problems.
No error appears on the client openvpn log.
I can not connect other ip in my network just because I do too many changes on the server to do the forward traffic to and from other devices.
So the problem lies in the openvpn service configuration of the router D7000.

In the coming days I try to make changes and let you know the results.

 

Bye

 

Michele

Message 11 of 40
michele9999
Aspirant

Rif.: D7000 OpenVPN Server configuration issue

 

 

Hi,
I checked the server side configuration (D7000 router), there are mistakes:
(the configuration files: /etc/server.conf and /etc/server_phone.conf  i've shown in a previous post)
in my configuration  the line :

push "route 192.168.19.1 255.255.255.0"  #### this is wrong.

The correct command in my router configuration would be:
push "route 192.168.19.0 255.255.255.0"

this is because when the OpenVPN is connected the setting is passed to the client (push) as a parameter to be used by the "ip" command (in linux) by performing a "ip route add 192.168.19.0 255.255.255.0". This will cause all traffic directed to the client ip address 192.168.19.0/24 it will be routed to the gateway 192.168.2.1, ip address of server openvpn running on D7000 router.
If unlike me you did not change the subnet router, then router assigns ip 192.168.0.0/24 , the line in the configuration file must be:
push "route 192.168.0.0 255.255.255.0" 

Thus setting the client-side configuration is ok, IP traffic is routed in the right way.
There is still something at the router level, firewall and routing that is not complete or correct; there do not know if I can make changes to test their functionality.

 

Bye

 

Michele

Message 12 of 40
michele9999
Aspirant

Re: D7000 OpenVPN Server configuration issue

Reply to Komp:

 

Hi Komp,

 

if openvpn working properly, with your smartphone or laptop to remotely like You're connected to your router's network, and then to reach the NAS port 8000, from the browser:
http://192.168.1.xxx:8000
xxx = ip of your NAS

 

Bye

 

Michele

Message 13 of 40
michele9999
Aspirant

Rif.: D7000 OpenVPN Server configuration issue

Hi,

I can not point how to make changes to /etc/server.conf and /etc/server_phone.conf files because these are not definitive, that is, if I turn off and turn on the router, are lost, and the files will be as before.
To get the permanent change, you need to be Netgear that makes changes to the firmware.

 

In the previous post to komp remembered evil: I refer to your NVR not to NAS.

 

Bye

 

Michele

Message 14 of 40
BMG
Aspirant
Aspirant

Re: D7000 OpenVPN Server configuration issue

I also have the same issue.  It apears that the only way forward in resolving this issue is for Netgear to correct the OpenVPN settings within the firmware, recompile and release a firmware update.

 

Alternatively they my consider creating a menu option within the firmware setup that allows the user to pre-define the VPN setting that they wish to use - very similar to the Billion 7800 series modems where the VPN settings are configurable.  

 

Another solution may be to allow the option with the firmware menu to support VPN passthrough espcially for L2TP VPN (especially as the new iOS upgrade no londer support PPTP and PPTP ports can be passed through with no issues).  At the moment you can't port forward UDP 500 as it is used by the modem internally by  READYShare you cannot disable READYShare.

 

Do netgear support have anything to add especially as the D7000 is not the cheapest modem on the market but the support from Netgear is a bit on the pathetic side.  

 

All us D7000 users have all provided solutions to the OpenVPN solution that the modem is supposedly meant to support but doesn't work so how about the Netgear engineers get to work on implemeting a workable solution.

 

How do Netgear expect consumers to buy their products when users read of these issues.  Trust me Netgear, users don't buy an expedsive modem that claims to support VPN and doesn't just becuase it may look ergonomically good! 

 

Regards

 

 

Model: D7000|Nighthawk AC1900 VDSL/ADSL Modem Router
Message 15 of 40
ElectricAlan
Aspirant

Re: D7000 OpenVPN Server configuration issue

Hello,

I have the same problem on my D7000.

I confirm what Michele9999 written.

 

The openvpn server conf files are wrong.

The correct statement must be:

push "route 192.168.0.0 255.255.255.0" and not 192.168.0.1

 

Can Netgear support change this asap please?

 

Thanks!

A

Message 16 of 40
soulneo
Aspirant

Re: D7000 OpenVPN Server configuration issue

Hi everyone,

I really hope this discussion is not closed yet, because I really have the same issue, and that's frustrating and annoying for such a router which makes VPN a primary key for the business (which also it's not cheap at all).

 

Anyway, I made some improvements: I was able to prevent the error and also surf the internet. Smiley Wink

Unfortunately, the LAN is still not reachable. Smiley Frustrated

 

My changes applied to the client_phone.ovpn are the following (bold):

client
route-nopull
route 192.168.1.0 255.255.255.0
dev tun

...

 

I also tried the push "route 192.168.1.0 255.255.255.0" command but it's the same as the one writed before.

 

I would ask michele9999 how was he able to modify the server configuration file.

Where did you find it? The "temporary" solution could be nice till Netgear engineers won't fix this for good.

 

I agree with the community: a NEW FIRMWARE is absolutely REQUIRED URGENTLY!!

 

Btw: are you aware about any previous firmware which is not affected by this issue? Maybe 1.0.1.42 worked? Any experience to share?

 

Thanks to all.

 

Looking forward to get some help from you or Netgear.

 

Best regards!

 

 

Model: D7000|Nighthawk AC1900 VDSL/ADSL Modem Router
Message 17 of 40
mcrs969
Luminary

Re: D7000 OpenVPN Server configuration issue

Hi,

 

I have the very same issue, I initially did not need the VPN on smartphones but I have set it up and tried to connect, it was linking so I ended my test and kept using my device.

Yesterday I did more tests and I am in your same condition, VPN is linked but push is not correct so I can reach the D7000 (I have more than one and it is the same issue on all of them) but I can't go anywhere else.

 

Do you, or some mod, know when there will be a fix for this? if I'm not wrong the topic is dated end of 2016

Message 18 of 40
salopian
Aspirant

Re: D7000 OpenVPN Server configuration issue

I have given up with the router and now use my Synology NAS as the VPN server. It works perfectly  and I can access the whole of the LAN.

Come on Netgear, others can get it right.

Message 19 of 40
BMG
Aspirant
Aspirant

Re: D7000 OpenVPN Server configuration issue

I agree that this case should not be closed and that Netgear should actually read these community comments about this issue. Surely a company as if as netgear would understand that social media can be extreamely harmful to its reputation. Maybe we should all take to twitter and Facebook to air our complaints about this issue.

I did ring netgear support and the engineer I spoke to was not as hopeful as I wished he would be. All he kept pausing was the fact that I was outside the 90 day free phone support and that I would need to pay them money to extend the warranty for 1 year so that the engineers can investigate and tell me that there's a problems with the firmware when it comes to openvpn - what a f$&@!?g joke.

I told him to read the netgear community and whirlpool forums about this well know documented bug - but it looks like no mater what we write in this forum it doesn't look like netgear pay any attention.

What the engineer recommended is that I downgrade (yes downgrade) the firmware on the D7000 back to one of the original firmware versions to see if that fixes the issue - what a joke. I can guarantee that it won't. At this point I knew I'm dealing with a company that hires clowns and this issue may never be fixed.

Has anybody else contacted netgear support about this issue?

At the end of the day a firmware upgrade is required it correct the Openvpn issues for Smartpuones as it works correctly when using it in my Mac (OSX). I've tried to change the smartphone config files to mirror the TAP settings for non-windows devices but this fails as the openvpn client application on my opinions needs that TUN setting so you cannot attempt it trick the application.

I have also tried the other settings for internet & and home network acceess - FAILS, home network access - FAILS, and the auto setting - Wow a sense of success but when I investigated further all this did was try and detect the best possible internet access path which was using my 4G phone connection and not home network access - so another FAIL. I've also tried static routes, port fowading, changing my home subnet - FAIL, FAIL, FAIL. After sounding like a mythbusters episode, and trying different settings and workarounds netgear still want me to pay them so that their engineers could tell me the same thing that the hard coded Openvpn server settings for TUN are not working and a new firmware needs to be released.

Come on Netgear, we the people of this commmnty netork that you urge urge us to use but not read yourself have already extesively testing this bug and require you to now fix the issue. We have spend and bought a top end router because of the ability to do use it's bells and whistles to our advance when building secure home or small business netwirk. When you buy a router if this type that you can manipulate the setting you are a competent IT professional with many years experience who understands networks and netork devices at a very advanced level and trouble shoot issues for a living.

All I'm asking is that Netgear as a reputable company read these comments about the vpn, respect us for our many years of knowledge as fix the the issue because it's we've been waiting way to long. If we were to al take ot social media and complain about the lack of support and that after the 90 day free support has expired that netgear want to charge to even discuss a know issue of bug that would be more damaging to the company.

Anyone else wish to share their comments.
Message 20 of 40
soulneo
Aspirant

Re: D7000 OpenVPN Server configuration issue

Good news folks!

Today I was contacted by Netgear 2nd level technician to fix this issue. Smiley Very Happy

He finally came up with a beta firmware which fixed this problem for good.

After our call, he told me that he will bring this topic to the engineers in order to release a new firmware asap.

 

So, let's hope Netgear engineers will listen to this hero.

 

Stay tuned!

Smiley Wink

Model: D7000|Nighthawk AC1900 VDSL/ADSL Modem Router
Message 21 of 40
salopian
Aspirant

Re: D7000 OpenVPN Server configuration issue

Hooray!  They may get round to fixing something that should have worked from day one.

We should be so greatful that they are considering making the equipment, that we paid for, work.

 

Message 22 of 40
soulneo
Aspirant

Re: D7000 OpenVPN Server configuration issue

I see your point,

but complaining and blaiming doesn't really fix or help here.

 

Netgear for sure made a mistake.

As well as, for sure, they should have been able to see it, recognize it and fix it from day 1.

 

But you know, **bleep** happens. 

 

Let's keep positive and focus on the fact they are now aware about this problem, they found a solution and they will probably come with a new firmware to fix it on every D7000 sold on the planet.

That's a win. For sure.

 

Better than complaining on a community that we discovered Netgear doesn't even give a s****.

 

Anyway, in my opinion the really bad or even worse part is related to the 0 assistance after the 90 days from the purchase (unless you pay fot the extended support.. which is unbelievable!)

That's not acceptable at all.

 

Message 23 of 40
salopian
Aspirant

Re: D7000 OpenVPN Server configuration issue

Yes things do go wrong but it has been wrong for a long time.

The router is not a cheap model, ok it's not a very expensive businnes model, therefore I do expect a certain standard from it.

Will the problem which was posted earlier, that the certificate is the same for all routers, be addressed?

 

Even If fixed I probably won't use the router as a VPN endpoint as my Synology NAS does a fine job but it would be nice to have the choice if I put the router elsewhere.

Message 24 of 40
soulneo
Aspirant

Re: D7000 OpenVPN Server configuration issue

I agree with you, this router is not a cheap model and the expectation are high on top level router (even if home user).

But Netgear was not completely foolish and, at least, the connection via Mac or Win works (and worked) just fine (tested myself with V1.0.1.44 firmware). So, the issue occurs (occurred in my case) just using the mobile phone VPN.

The technician said the problem would be addressed but I can't make promises. I do not work for Netgear. 😉 

 

Some people like you have found a different solution for this problem. There's always a workaround. 😉

I personally wanted to face it with Netgear support since my router was still covered by the 90 days full warranty and I had the chance to help you guys fixing something that maybe one day can be helpfull for you as well.

 

Let's hope Netgear will share a new firmware with all of us soon.

 

They have to atone for what happened somehow.. 😉

maybe some new cool free feature ... (working one hopefully) 😄

 

 

Message 25 of 40
Top Contributors
Discussion stats
  • 39 replies
  • 15419 views
  • 0 kudos
  • 13 in conversation
Announcements

Orbi 770 Series