Orbi WiFi 7 RBE973
Reply

BR500 VPN w/Mac Client

dfilip
Guide

BR500 VPN w/Mac Client

 

I am having difficulties setting up a “Instant” VPN on my new BR500 router.

 

My network topology is :

 

[Local LAN @ 192.168.1.0/24] <==> [BR500 @  65.110.137.192] <=> [Cable Modem] <=> [Public Internet] <=> [Laptop]

 

My intent is to set up a VPN connection from my [Laptop] to my [Local LAN].  My BR500 is running Firmware 5.5.0.1.  I tried the following steps:

 

1. I checked [X] Open VPN Service on the Advanced => Open VPN  on the BR500 web console

 

2. As per the ’OpenVPN client setup instruction => MacOSX’, I’ve installed Tunnelblick on my Mac laptop:

 

https://code.google.com/p/tunnelblick/ 

 

3.  I noted that the following warning was displayed during the installation:

 

  Warning: This VPN may not connect in the future.

 

  The OpenVPN configuration file for 'client' contains these OpenVPN options:

 

   • 'comp-lzo' was deprecated in OpenVPN 2.4 and has been or will be removed in a later version

 

 

  You should update the configuration so it can be used with modern versions of OpenVPN.

 

  Tunnelblick will use OpenVPN 2.4.6 - OpenSSL v1.0.2q to connect this configuration.

 

  However, you will not be able to connect to this VPN with future versions of Tunnelblick that do not include a version of OpenVPN that accepts the options.

 

4. I clicked ‘OpenVPN configuration package download’ which downloaded a zip file called: non windows.zip

 

5. I opened the Tunnelblick application, and dragged ‘client.conf’ into the ‘Configurations’ box, which added a ‘client’ configuration to Tunnelblick.

 

6 I have no idea what to do with these files, that were also included I the nonwindows.zip download file:

 

  • ca.crt
  • client.crt
  • client.key
  • dhcp-client-request.sh

 

7. If I select the ‘client’ configuration within Tunnelblick and click the [Connect] button on my laptop, it never connects.  I am not sure if there is anything else that I am supposed to do in order to make this work?

 

8. In the BR500 web console, the messages ‘Access to cloud is not available’ and ‘Access to VPN is not available’ still keep scrolling up, although Advanced => OpenVPN still shows [X] Open VPN service as checked.

 

9. Basic => VPN on the BR500 web consoles still says ‘No VPN Group.’

 

10. I am including the Tunnelblick connection log (below), and am attaching the full Tunnelblick diagnostic log, which contains even more information.

 

11. In the instructions (OpenVPN client setup instruction => MacOSX), there is a link for installing what looks like another OpenVPN client, but I’m not sure if that applies to Tunnelblick?

 

    https://openvpn.net/index.php/access-server/docs/admin-guides/183-how-to-connect-to-access-server-fr...

 

12. I suspect that I am missing one or more steps … can someone please point me in the right direction?

 

13. I have not donloaded OpenVPN separately (from the second link) as I am not entirely clear on whether Tunnelblick includes OpenVPN itself (I think it does), or if I have to download an OpenVPN client separately (I don't think I do?), or what else is required.

14. I had been successfully using IPSecuritas on my FVS318Gv2 for many years, and if there is any way that I can continue to use that client, I'd be very happy doing that as well.  That is a very popularopen source IPsec VPN client for the Mac, but I would need help configuring it for the BR500.

 

Thanks,

 

Dave.

Message 1 of 17

Accepted Solutions
BretD
Admin

Re: BR500 VPN w/Mac Client

This issue was solved by using the built-in Insight VPN of the BR500. Please reach out if you have issues using other methods.

View solution in original post

Message 17 of 17

All Replies
dfilip
Guide

Re: BR500 VPN w/Mac Client

The first two (2) times I tried to post this, I did not get an error, but it didn't post (I couldn't find my post after I uploaded it).  I *think* it might have been too long, so I took off the attachment and the VPN connection log.  I am trying to re-post JUST the Tunnelblick diasgnostics here, in a second add-on post to the same problem.

 

Message 2 of 17
dfilip
Guide

Re: BR500 VPN w/Mac Client

Does anyone have any suggestions on how to get VPN working on a Mac on a BR500 Instant VPN router?

Message 3 of 17
MrJoshW
NETGEAR Expert

Re: BR500 VPN w/Mac Client

Hello,

 

Reviewing the logs I can see permission errors requiring admin permission to perform an action:

2019-04-02 11:50:52 Tunnelblick[54108] Tunnelblick needs to perform an
action that requires a computer administrator's authorization.

 

The user you are using, can you verify if it has admin rights and attempt to run the application again? What version of OSX are you currently using?

Message 4 of 17
dfilip
Guide

Re: BR500 VPN w/Mac Client

Thanks for the reply.  I've tried running Tunnelblick on two Mac's both running Mojave (10.14.4, one a MacBook Air, one a Mac Mini).

 

In both cases, I was logged into my "Admin" account, i.e., an account in the Administrators group that is the account I created when  I installed my Mac, and not 'root' per se, but one which I can 'sudo' to pretty much anything.

 

Can you confirm whether the steps I took were appropriate, or am I missing anything?  I assume that the extra files (ca.crt, client.crt, client.key) are only required if I am doing certificate authentication?  But I have not done anything with those files, because I'm not quite sure how I would use them?

 

 

 

 

Message 5 of 17
MrJoshW
NETGEAR Expert

Re: BR500 VPN w/Mac Client

Only the conf file needs to be copied to tunnelblick during the setup process. You will drag the conf tile to the top task bar and it will add the configuration. High Serria has more locked down privacy and you would need to allow the developer to be able to run the program. To do that, navigate to Settings > Security & Privacy and under "Allow apps and downloaded from" you should see the developer listed. Click allow and the program should now have access to execute the extension to run the vpn.

Message 6 of 17
dfilip
Guide

Re: BR500 VPN w/Mac Client

The only problem is that I am running Mojave, and there is no longer an option to "Allow apps downloaded from: Anywhere".  What usually happens is that if you try to run an app that is not permitted, you have (I think it is) 30 minutes to go to that same screen, where it will tell you that the app as prevented from running, with a button to "Allow to run anyway".  Unfortunately, I don't see that option when I run Tunnelblick.

Message 7 of 17
dfilip
Guide

Re: BR500 VPN w/Mac Client

Another update: I was able to get the 'Downloaded: Anywhere' option to appear by running the following command: $ sudo spctl --master-disable

 

Apparently, the good folks at Apple have decided to hide the 'Anywhere' option, no doubt to sell more Apple Developer licenses.

 

Nonetheless, that did not help.  I tried re-installing Tunnelblick, and that did not help.

 

What did help -- but not completely -- is editing the client.conf to add the remote IP of my firwall, and once I did that -- and deleted the old 'client' configuration, and add the new client configuration with the correct remote IP -- I can now connect.  I must have missed the step that said I had edit this file to put my external IP in.

 

But alas, while I now see bytes going out, but no bytes coming back, with 'Waiting for server response' for several (>5) minutes, and no incoming bytes.

 

Because the client.conf had the remote IP address listed as '0.0.0.0', I have no idea what else might be wrong or missing, so I am including it in entirety here:

 

client
dev tap
proto udp
remote 0.0.0.0 12974
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 5
script-security 2
up dhcp-client-request.sh

 

Please let me know if I am missing anything else.  I did not copy the script (dhcp-client-request.sh) or the certificates referenced (client.crt, client.key, or ca.crt) into Tunnelblick, just this client.conf (again, after changing the remote IP to the external address of my BR500, which now allows me to connect, and I see outgoing bytes, but no incoming bytes).

 

I am also attaching the latest diagnostic information as a PDF.

 

Please let me know if you have any other suggestions,

 

Regards,

 

Dave Filip

 

 

 

 

 

 

Message 8 of 17
MrJoshW
NETGEAR Expert

Re: BR500 VPN w/Mac Client

Hello,

 

Just to clarify, are you setting up OpenVPN with the local GUI of the BR500 or attempting to use the Insight Instant VPN? The Insight Instant VPN does not require the OpenVPN client and has it's own independent client.

Message 9 of 17
dfilip
Guide

Re: BR500 VPN w/Mac Client

That is an excellent question!  No, I am following the instructions in the web GUI of the BR500.

 

I am somewhat confused by the Insight phone app, which doen't appear to do much without purchasing a 'Pro' licnese.

 

And as I understand it the 'Pro' license is required for running Insight on a web browser?

 

I don't want to spend any additional $/month if I don't have to.

 

Since the BR500 Admin GUI has instructions for using Tunnelblick, it appears as though that is supposed to work, without purchasing Insight Pro?

 

Or is that not possible?

 

I was perfectly happy running the Mac Securitas VPN software with my old FVS318Gv2, and am trying to do the closest equivalent on the BR500 (since the FVS318Gv2 is no longer supported by Netgear, and after several years has become unreliable). 

 

I would be happy with any solution that doesn't cost me more $/month.

 

Please advise.

 

Message 10 of 17
MrJoshW
NETGEAR Expert

Re: BR500 VPN w/Mac Client

-Insight Instant VPN does require a VPN license but does not require an Insight Pro license to use the service. The Insight Instant VPN can be managed through the Insight APP as long as you are using only up to two Insight powered devices to be managed in the APP.

 

-If you are having issues starting the TunnelBlick client as long as the VPN client you are using supports OpenVPN you can use the client and import the files included in the nowindows.zip from the BR500. List of available clients can be found on the OpenVPN site.

https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-macos/

 

Message 11 of 17
dfilip
Guide

Re: BR500 VPN w/Mac Client

OK, yes, I had seen that the Insight license is free if I only have two (2) Insight devices.  However, I could figure out how to set up Insight without incurring a cost.  Can I do that in a web browser, and if so, can you supply a URL to get started?  I did bounce around a few different pages, and it wasn't clear to me.

 

I have a BR500 and an Orbi "Insight" routers on my network ... the Orbi WiFi is actually a RBR40 router with two RBW30 mesh satellites.  I'm not sure if Insight would count this as two devices, or four because of the sattellites?

 

Nonetheless, I went with Tunnelblick because that was what was included in the instructions within the BR500 web GUI console.  However, does the fact that the .conf file that was downloaded did not include the remote IP of the BR500 -- it contained 0.0.0.0 as the remote IP -- indicate a problem?

 

If you believe that using Insight app would be better / easier, I'm willing to give that a try, if having just the BR500 and Orbi won't cost me any monthly $$$ (assuming that the sattellites don't put me above the two device limit).

 

Please advise.  If you could provide a link on getting started with Insight from a web browser, that would be appreciated, as again, I got a bit lost when I tried to go that route.  Thanks.

 

Message 12 of 17
MrJoshW
NETGEAR Expert

Re: BR500 VPN w/Mac Client

-To manage Insight devices through the web browser it does require an Insight Premium license. You can only manage the devices through the app as an Insight Basic user.

-The RBR40 is not Insight capable as it is an Orbi device. Only the Orbi Pro SRR60 can be added to Insight to be managed.

-The Insight Instant VPN solution is easier. After the device has been added to Insight and is reporting online in the app select the BR500 device and select VPN Group > + sign to create and name a VPN Group > Add device and select the BR500 device. The device is now added to the VPN group and is now accessible remotely.

 

Message 13 of 17
dfilip
Guide

Re: BR500 VPN w/Mac Client

Sorry, but to be clear ... I think I may have confused matters by calling it 'Pro' ... if I only have the BR500 as my one and only Insight device ... I understand that the Orbi, which is my only other Netgear device is non-Insight ... can I use Insight Premium for free through a web browser?

 

The end goal here has been to get VPN working on my MacBook Air, so I am assuming that means that I need to use a browser, and therefore I need an Insight Premium license?

 

As I believe the "Insight Basic" app is only available for phones and tablets?

 

However, when I click the '[Upgrade]' button on the https://insight.netgear.com web page, I am given two options: $0.99/Mo per device, or $9.99/Yr per device,  I don't see the "free for only one device" option ... ???  Which is why I was following the BR500 Admin GUI instructions for Mac, which provided a link to Tunnelblick ... which is an OpenVPN client for the Mac.

 

 

Message 14 of 17
dfilip
Guide

Re: BR500 VPN w/Mac Client

Also, I did try signing up for the '30 day free trial' of Insight Premium.  I've added my BR500, it displays as being on-line, buyt when I click 'Create VPN Group', it tells me: "You do not have sufficient credits to add a new group. To add a new group, purchase a new VPN Service plan."

 

All I want to do is get my MacBook Air working on VPN!

 

Message 15 of 17
MrJoshW
NETGEAR Expert

Re: BR500 VPN w/Mac Client

Hello,

 

Sending you a private message with a possible solution, hope it helps.

Message 16 of 17
BretD
Admin

Re: BR500 VPN w/Mac Client

This issue was solved by using the built-in Insight VPN of the BR500. Please reach out if you have issues using other methods.

Message 17 of 17
Top Contributors
Discussion stats
  • 16 replies
  • 7680 views
  • 0 kudos
  • 3 in conversation
Announcements