Orbi WiFi 7 RBE973
Reply

Re: BR500 VPN and IPSec Example w/Open Source

dfilip
Guide

BR500 VPN and IPSec Example w/Open Source

Since the BR500 supposedly has VPN Support for both OpenVPN and now IPSec (same underlying protocol, more options), I was wondering if anyone has successfully gotten any Linux with open source software (e.g., OpenVPN, Openswan, etc., from command line) to work with the BR500?

 

I was unsuccessful in getting the "out-of-the-box" OpenVPN working with any of my Mac computers, so I have not yet started experimenting with Linux OpenVPN, but before I do, I would be interested in knowing if anyone out there was successful and can offer any advice?

 

The only VPN that I was ever able to get working with the BR500 was Insight, but I'm paying mouthly $ for that, and they don't yet have a Linux solution.  When I opened a ticket about Linux VPN, I was basically told that it was a good idea and that other people have suggested it, but NETGEAR made no committment about every doing anything about it.

 

So anyone out there who is more fluent in these things than me able to figure it out?

 

Thanks in advance!

 

 

 

Model: BR500|Insight Instant VPN Router
Message 1 of 12

Accepted Solutions
dfilip
Guide

Re: BR500 VPN and IPSec Example w/Open Source

Just an FYI that I finally got OpenVPN working on my BR500 ... and although I am not 100% sure what the root cause was, I think it was just that my router was "confused" (I'm using that term in a "technical" way).

 

Previously, I tried three (3) separate OpenVPN clients, and all would just hang a 'connecting', and tunnelblick would explicitly show data being sent but no data received.

 

So what did I do to get it working?  I went to the OpenVPN page of the BR500 web GUI, changed ports from 12973 (TUN) /12974 (TAP) to different ports (I tried 1194/1195), changed it from UDP to TCP, could briefly telnet to those ports from an external server, changed it back to UDP and 12973 / 12974, and voila!, my prior OpenVPN software install (previously not working) on my (remote) Mac started working!  I can only conclude that something was "confused" (technical term), and that I "un-confused" it by "playing" with the ports and protocol, which must have reset something in the router configuration.  [No doubt any Netgear engineers reading this are now cringing by this description.]

 

In fairness, the very, very, very first time I tried to turn OpenVPN on via the BR500 web GUI, it just kinda hung ... this was several firmware releases go ... I left it for about 5 minutes with the "spinning circle" ... and then did a reboot of the rouer (closed the web browser, opened a new web brower, and re-booted from the Dashboard page of the BR500 web GUI ... no, I did NOT simply pull the plug!).  I think that might have been what originally "confused" it, although in fairness, all I did to get the 5+ minute spinning circle before rebooting the router was click the 'Open VPN Service' checkbox in the web GUI, and then click 'Apply' (again, this was several firmware releases ago ... although simply installing newer firmware releases did NOT fix my problem ... it appears that "playing" with the ports and protocols is what did it). [Any Netgear engineer still reading this is no doubt cringing even more at me rebooting, but more than 5 minutes of a spinning circle exceeds my patience ... and yes, I did time it].

 

For those keeping track of my numerous (!) posts complaining about the BR500, in addition to getting my Mac to connect to my BR500 via OpenVPN, I also successfully got my Linux cloud server connecting to my BR500 via OpenVPN.  I simply installed the OpenVPN software (yum install on CentOS 7), downloaded the 'iPhone' configuration (ovpn) file from the BR500, uploaded it to my Linux server, and then started OpenVPN from the Linux command line:

 

        $ sudo openvpn --config smart_phone.ovpn --daemon

 

 and volia!, my Linux cloud server can now talk to my local (LAN) servers behind the BR500.

 

So I now have NO OUTSTANDING PROBLEMS on my BR500.  The rabbit hole I previously got lost down was connecting to the Insight service and configurating Insight Instant VPN for additional $ ... after that, I had numerous other problems (see my earlier posts if you care what problems), but my BR500 has been stable since disconnecting from the Insight service, and I now have OpenVPN working, so I'm a happy camper! 🙂

 

Thanks to all the other customers on this forum and Netgear engineers who made suggestions and eventually got me here (along with a bit of trial-n-error along the way!).

 

I'm sharing all of this in the hopes that it may (could? possibly?) help anyone else, and I invite anyone else struggling with the BR500 to contact me for further clarification on any of this, if you so desire.

 

But mostly I want to get the emotional satisfacton of clicking the 'Solved' button on one of my own posts .... 😉

 

 

View solution in original post

Model: BR500|Insight Instant VPN Router
Message 12 of 12

All Replies
schumaku
Guru

Re: BR500 VPN and IPSec Example w/Open Source


@dfilip wrote:

Since the BR500 supposedly has VPN Support for both OpenVPN and now IPSec (same underlying protocol, more options)


No way, not the same at all. IPSec is IPSec, and OpenVPN is based on SSL. If that's not clear it will be a hard learning curve. For your convenience:

 

OpenVPN (MacOS): NETGEAR Insight Instant VPN Router BR500 User Manual, p.131 ff "Install the OpenVPN client utility and VPN configuration files on a Mac" (using Tunnelblick) - works for my customers as documented.

IPSec: How do I set up a site-to-site IPSec VPN on my NETGEAR BR500 Business Router? - works for us.

 

Message 2 of 12
MrJoshW
NETGEAR Expert

Re: BR500 VPN and IPSec Example w/Open Source

Hello,

 

You'll need to export the OpenVPN file from the BR500 and import it in the OpenVPN client setup on your Linux environment. What Linux setup are you using? If you are using Ubuntu theres some guides on the Ubuntu site I can send over to walk you through the process.

Message 3 of 12
dfilip
Guide

Re: BR500 VPN and IPSec Example w/Open Source

Thanks, I am trying to get this working from an AWS EC2 cloud server, which as far as I can tell looks a lot like CentOS 7 (rpm & yum, /etc/sysconfig, systemctl, etc.).  I have a lot of experince in the CentOS / Redhat Fedora world, less in Ubuntu, but can probably translate.

 

If you have some instructions for Ubuntu, I can probably make sense of that.  The only limitation is that I have command line only access to the server, no GUI.

 

I could never get the latest tunnelblick workng on any of my Macs, at least not on Mojave, which did throw up a few warning messages when I installed it.  It would just hang at 'Conecting' and not get any further, and nothing in the BR500 log. I did not set up Dynamic DNS on the BR500, which looked like it was optional, but in the end I just gave up and paid $$ to use Insight VPN.  But I understand that is not an option for Linux currently.

 

That was also with firmware 5.5.0.1.  I have since upgraded to 5.6.0.1.  And I never tried using a Dyanmic DNS, although someone I was working with @ NETGEAR said that they had gotten it to work on their Mac running Mojave and the NETGEAR DynDNS.  [I had recently installed the BR500 at the time, had a business trip in 2 days, so I went with Insight VPN just to get something working quickly and reliably, after spending a few days trying OpenVPN an tunnelblick without success.]

 

My question is what OpenVPN configuration do I need to download from the BR500 for use with Linux?  Should I try using the Mac configuration again?  Or one of the mobile options?  I know that macOS is sorta/kinda like FreeBSD (but different in a lot of ways).

 

My problem with the IPSec instructions is that I am not familiar enough to know what values to use on the router.  For example, I have detailed instructions for installing Libreswan (formerly Openswan) from the RedHat portal (sec-securing_virtual_private_networks), but I'm not quite sure on how to configure the BR500 side of things.

 

Thanks in advance for any OpenVPN Linux <=> BR500 instructions you can provide.  Once I can get this running on Linux, I'll go back and re-try macOS again.  But the lack of any useful information in the BR500 log made it difficult to troubleshoot.

 

 

 

 

 

Model: BR500|Insight Instant VPN Router
Message 4 of 12
MrJoshW
NETGEAR Expert

Re: BR500 VPN and IPSec Example w/Open Source

Reviewing some of the documentation on the Ubuntu side you can use easy-open vpn which is straight forward:

 

https://docs.ubuntu.com/core/en/stacks/network/easy-openvpn/docs/openvpn-client-setup

 

You will need the ovpn file which can be downloaded from the "smartphone" button in the BR500 OpenVPN local interface and place in the home directory path.

Message 5 of 12
schumaku
Guru

Re: BR500 VPN and IPSec Example w/Open Source

Deriving here from the subject, and talking OpenVPN only.

 


@dfilip wrote:

I could never get the latest tunnelblick workng on any of my Macs, at least not on Mojave, which did throw up a few warning messages when I installed it.  It would just hang at 'Conecting' and not get any further, and nothing in the BR500 log. I did not set up Dynamic DNS on the BR500, which looked like it was optional, ....  And I never tried using a Dyanmic DNS, although someone I was working with @ NETGEAR said that they had gotten it to work on their Mac running Mojave and the NETGEAR DynDNS.

The OpenVPN client configuration must contain a valid "remote [host-IP-orFQDN] [port]" section, not sure what will be in there if no DDNS service/host is configured. On other Netgear routers it's mandatory.

 


@dfilip wrote:

My question is what OpenVPN configuration do I need to download from the BR500 for use with Linux?  Should I try using the Mac configuration again?

Isn't the OpenVPN config packet provided under the "for MacOS" label named "nonwindows"? It's all in there what you need e.g. for whatever U**x flavour. The beauty of OpenVPN is - different from IPSec - that it's dead simple:

 

Ubuntu/Debian/...

apt-get install openvpn

Once the openvpn package is fetched from the Internet and installed, run the client with the –version argument to make sure that it is version 2.1 or higher:

 

openvpn –version

>OpenVPN 2.1_rc15e x86_64-unknown-linux-gnu […]
[…]

 

Running the OpenVPN client with the downloaded client config file

Usually, the easiest way to install an OpenVPN client is to use the –config argument to specify the location of the downloaded client config file:

 

openvpn –config client.conf

Note: You need all the files provided on the Linux end, when I have it right along with the client.conf file.

 

Message 6 of 12
dfilip
Guide

Re: BR500 VPN and IPSec Example w/Open Source

Just giving the Mac + Tunnelblck another try - after upgrading to firmware 5.6.0.1 on the BR500 and setting up NETGEAR DynDNS -- now that I know it is free!

 

Tried installing Tunnelblck again on my Mojave MacBook Air ... and still no joy.  The difference between having DynDNS and not is that the remote line in the configuration file has 0.0.0.0 if I do not have DynDNS, and my DynDNS name if it is configured.  Nonetheless, I had manually entered the external IP of my BR500 previously in cient.conf (when I was not using DynDNS).

 

Either way, doesn't seem to make a difference, in that when I try to connect, I see pckets going out, but it is stuck at 'Waiting for server response', and no packets every come in, no matter how long I wait.

 

However, I have had to add 'dev tun' and remove 'dev tap' from the client configuation file, as per web instructions that pop-up explaining what to do when I get the 'kext' errors ... apparently kernel modules that can't be loaded Mojave.  So I am not sure if that is causing my problems?

 

I have also never been clear on how tunnelblck finds the files in 'nonwindows', e.g., client.crt, client.key, ca.crt, dhcp-client-request.sh. etc.  I have those installed in a 'nonwindows' folder on my Desktop, but tunnelblck gets installed in /Applications.  So I drag client.conf into tunnelblck, but how does it know where the other files are located?  Does it just assume they are in the same folder from which client.conf was dragged?  Nonetheless, I also tried editing client.conf to add explicit file paths to the files, "just in case".  Also tries installing TunnelBlck in the nonwindows folder and launching it from there.  I'm just not sure how it is supposed to work?

 

So has anyone gotten OpenVPN with tunnelblck to work on Mjoave with the BR500, which has the 'kext' errors unless I remove 'dev tap' and put in 'dev tun'?  If so, can you please send me your client.conf (you can mask out your remote line)? And let me know where you have installed the nonwindows files so that they are found?

 

Thanks!

 

 

 

 

 

Model: BR500|Insight Instant VPN Router
Message 7 of 12
MrJoshW
NETGEAR Expert

Re: BR500 VPN and IPSec Example w/Open Source

You can use any VPN client as long as it supports OpenVPN. One I could recommend trying is the OpenVPN client 3.0.2 build as it works with Mojave, you will just need to use the ovpn file from the "smartphone" button in the OpenVPN section of the BR500 local interface.

 

https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-macos/

Message 8 of 12
schumaku
Guru

Re: BR500 VPN and IPSec Example w/Open Source

The tap vs. tun is the reason why @MrJoshW  does suggest using the smartphone config - because of the smartphones don't allow loading a bridge module (unless your mobile deivce is rooted). The same requirement does aparently cause issues on MacOS 10.14.5. Beta 2 ... the project says it's fixed with the Beta 3 (unclear what is the status with the released 10.14.5) - one does routing, the other does  direct bridging.

 

If you would mind to copy and paste the complete error messages ... this would help a lot.

 

FMI:

https://tunnelblick.net/cKextNotarization.html

https://tunnelblick.net/cKextLoadError.html

https://community.openvpn.net/openvpn/wiki/BridgingAndRouting

 

In any case, when enablilg DDNS on the router, the "ready made" OpenVPN configs on the router are supposed to be updated - obvious one has to downloading the configuration file collection and put in place again  - if the DDNS isn't added properly - it's a bug.

 

Message 9 of 12
dfilip
Guide

Re: BR500 VPN and IPSec Example w/Open Source

OK, I have some more failures, but I think I may have found the root cause of my problems.

 

I tried downloading and running OpenVPN 3.02, but unfortunately it just hangs - spinning colored disc.

 

My problem with tunnelblck was that is just hangs at connecting.

 

I actually do have successful VPN software running on this computer called Prituni, which I use to successfully connect to my clients network.  I did a bit of digging, and realized that it is using OpenVPN (which I also verifed through the logs).

 

So I tried to import the smart_phone.ovpn file into Prituni that I downloaded from the BR500 ... which it gladly did ... and it also hangs when trying to connect (although eventually times out).  Whereas while the same Prituni client is running, it can successfully connect to my clients network.

 

So, looking at the configuration files downloaded from the BR500 ... both for Mac and for smart phone ... and they both have:

 

      remote colornet.mynetgear.com 12973

 

However, if I try to telnet to that port from my computer:

 

    $ telnet colornet.mynetgear.com 12973

    Trying 65.110.137.194...

    telnet: connect to address 65.110.137.194: Operation timed out

    telnet: Unable to connect to remote host

 

The BR500 does not permit connections on that port!  I also verified the IP (which I set internally to cerberus.colornet.com):

 

    $ telnet cerberus.colornet.com 12973

    Trying 65.110.137.194...

    telnet: connect to address 65.110.137.194: Operation timed out

    telnet: Unable to connect to remote host

 

So the external IP address of my BR500 is correct, but the port does not permit connections. I can successfully ping to that IP:

 

    $ ping colornet.mynetgear.com

    PING colornet.mynetgear.com (65.110.137.194): 56 data bytes

    64 bytes from 65.110.137.194: icmp_seq=0 ttl=49 time=67.259 ms

    64 bytes from 65.110.137.194: icmp_seq=1 ttl=49 time=121.518 ms

    64 bytes from 65.110.137.194: icmp_seq=2 ttl=49 time=90.467 ms

    ^C

 

so I can see my BR500.  And my telnet to port 12973 fails from several computers on my network, as well as from my AWS Cloud servers (one is CentOS 7 and one is SuSE).  So the problem is not my computer or my network.

 

So while this explains all of my failed attempts, why isn't the BR500 opening up this port?

 

Any ideas on where to go from here?  Thanks in advance!

 

Model: BR500|Insight Instant VPN Router
Message 10 of 12
dfilip
Guide

Re: BR500 VPN and IPSec Example w/Open Source

Also, just to answer the extermely obvious question, I am attaching a screen shot of the Open VPN page on my BR500, which shows the service enabled.  Given the fact that I can't connect from an external server to either port 12973 or 12974, I did the following:

 

1) Uncheck the Open VPN Service and click [Apply]

2) Reboot the BR500

3) Check the Open VPN Service and click [Apply]

40 Reboot the BR500

 

Just hoping to 'reset' something that didn't get set the first time around.

 

But I still cannot connect to either port 12973 or 12974 from an external server.  By 'external', I mean either one of my AWS Cloud servers (which allow all outgoing connections), or my laptop connected to the Internet through my phone (via data services).

 

I also cannot connect to either port from my internal network -- the LAN side of the BR500 -- but perhaps that should be expected.

 

Model: BR500|Insight Instant VPN Router
Message 11 of 12
dfilip
Guide

Re: BR500 VPN and IPSec Example w/Open Source

Just an FYI that I finally got OpenVPN working on my BR500 ... and although I am not 100% sure what the root cause was, I think it was just that my router was "confused" (I'm using that term in a "technical" way).

 

Previously, I tried three (3) separate OpenVPN clients, and all would just hang a 'connecting', and tunnelblick would explicitly show data being sent but no data received.

 

So what did I do to get it working?  I went to the OpenVPN page of the BR500 web GUI, changed ports from 12973 (TUN) /12974 (TAP) to different ports (I tried 1194/1195), changed it from UDP to TCP, could briefly telnet to those ports from an external server, changed it back to UDP and 12973 / 12974, and voila!, my prior OpenVPN software install (previously not working) on my (remote) Mac started working!  I can only conclude that something was "confused" (technical term), and that I "un-confused" it by "playing" with the ports and protocol, which must have reset something in the router configuration.  [No doubt any Netgear engineers reading this are now cringing by this description.]

 

In fairness, the very, very, very first time I tried to turn OpenVPN on via the BR500 web GUI, it just kinda hung ... this was several firmware releases go ... I left it for about 5 minutes with the "spinning circle" ... and then did a reboot of the rouer (closed the web browser, opened a new web brower, and re-booted from the Dashboard page of the BR500 web GUI ... no, I did NOT simply pull the plug!).  I think that might have been what originally "confused" it, although in fairness, all I did to get the 5+ minute spinning circle before rebooting the router was click the 'Open VPN Service' checkbox in the web GUI, and then click 'Apply' (again, this was several firmware releases ago ... although simply installing newer firmware releases did NOT fix my problem ... it appears that "playing" with the ports and protocols is what did it). [Any Netgear engineer still reading this is no doubt cringing even more at me rebooting, but more than 5 minutes of a spinning circle exceeds my patience ... and yes, I did time it].

 

For those keeping track of my numerous (!) posts complaining about the BR500, in addition to getting my Mac to connect to my BR500 via OpenVPN, I also successfully got my Linux cloud server connecting to my BR500 via OpenVPN.  I simply installed the OpenVPN software (yum install on CentOS 7), downloaded the 'iPhone' configuration (ovpn) file from the BR500, uploaded it to my Linux server, and then started OpenVPN from the Linux command line:

 

        $ sudo openvpn --config smart_phone.ovpn --daemon

 

 and volia!, my Linux cloud server can now talk to my local (LAN) servers behind the BR500.

 

So I now have NO OUTSTANDING PROBLEMS on my BR500.  The rabbit hole I previously got lost down was connecting to the Insight service and configurating Insight Instant VPN for additional $ ... after that, I had numerous other problems (see my earlier posts if you care what problems), but my BR500 has been stable since disconnecting from the Insight service, and I now have OpenVPN working, so I'm a happy camper! 🙂

 

Thanks to all the other customers on this forum and Netgear engineers who made suggestions and eventually got me here (along with a bit of trial-n-error along the way!).

 

I'm sharing all of this in the hopes that it may (could? possibly?) help anyone else, and I invite anyone else struggling with the BR500 to contact me for further clarification on any of this, if you so desire.

 

But mostly I want to get the emotional satisfacton of clicking the 'Solved' button on one of my own posts .... 😉

 

 

Model: BR500|Insight Instant VPN Router
Message 12 of 12
Discussion stats
  • 11 replies
  • 4997 views
  • 0 kudos
  • 3 in conversation
Announcements