Orbi WiFi 7 RBE973
Reply

Netgear has to upgrade to SHA256 or will face charges/damages (Due diligence/state of the art)

Morganino
Tutor

Netgear R7000 and OpenVPN for Android App

Hi,

since last OpenVPN for Android App update (v.0.6.73) downloadable at the following link:

https://play.google.com/store/apps/details?id=de.blinkt.openvpn

OpenSSL version was upgraded to 1.1 and I cannot connect to my R7000 Router from Outside anymore, because for security reasons OpenSSL v.1.1 doesn't accept MD5 certificates because have a weak signature.

 

May Netgear upgrade R7000 firmware to create OpenVPN SHA256 certs instead MD5, below the OpenVPN's FAQ with explanations:

http://ics-openvpn.blinkt.de/FAQ.html#weakmd_title

It's a security enhancement that may be helpful to all community that have this fantastic Router.

 

Router Firmware: 1.0.7.12

Smartphone Model: LG Google Nexus 5X v.7.1.2 with June 5th 2017 patches.

 

Regards.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 1 of 139

Accepted Solutions
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.

 

Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:

 

http://192.168.1.1/debug.htm

 

If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.

View solution in original post

Message 73 of 139

All Replies
agil
Initiate

Re: Netgear R7000 and OpenVPN for Android App

Hi,

 

Running R7000 with the 1.0.8.34 North American firmware, and facing connectivity issues with the latest OpenVPN for Android release - How to generate the OpenVPN SHA256 certifications?

 

Regards

Message 2 of 139
Morganino
Tutor

Re: Netgear R7000 and OpenVPN for Android App

You cannot enroll SHA256 Certificates by yourself, you need Netgear to update R7000 Firmware and include this enhancement.

I hope Netgear will consider this in next firmware release.

Message 3 of 139
Morganino
Tutor

Re: Netgear R7000 and OpenVPN for Android App

As suggested in above link, if you want to connect again to OpenVPN on R7000 you need to add:

 

tls-cipher "DEFAULT:@SECLEVEL=0"

 

in your OpenVPN for Android profile advanced configuration, but you're exposed to MD5 weakness vulnerability.

Hope Netgear will upgrade firmware asap.

 

Regards.

Message 4 of 139
agil
Initiate

Re: Netgear R7000 and OpenVPN for Android App

Thanks. That did the trick. OpenVPN for Android can connect now. Joining the request to Netgear to release a firmware upgrade, removing the MD5 weakness.

 

Regards,

Message 5 of 139
schumi2004
Initiate

Re: Netgear R7000 and OpenVPN for Android App

Adding that line to configuration makes it work again but at the end the current VPN implementation from Netgear is not safe and they should upgrade asap.

Message 6 of 139
GearNetRouter
Virtuoso

Re: Netgear R7000 and OpenVPN for Android App

Can Netgear get its s h i t together and fix the firmware? Why is NG not proactive enough to fix this in advance? WTF?

Message 7 of 139
karl11
Initiate

Re: Netgear R7000 and OpenVPN for Android App

I'd like to use OpenVPN on my R6900 too, but MD5 keys are just reckless these days.  Netgear needs to fix this.

Model: R6900|Nighthawk AC1900 Smart WiFi Router
Message 8 of 139
96708
Apprentice

Re: Netgear R7000 and OpenVPN for Android App

Any update to this BS?


@karl11 wrote:

I'd like to use OpenVPN on my R6900 too, but MD5 keys are just reckless these days.  Netgear needs to fix this.


 

Message 9 of 139
kuser
Star

Netgear has to upgrade to SHA256 or will face charges/damages (Due diligence/state of the art)

It is embarrassing and roughly negligent that NG still uses md5 these days.

Netgear has to upgrade its Firmware to SHA256 or better or may face charges in case of damages (Due diligence/state of the art).
Model: R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 10 of 139
ClarDold
Apprentice

Re: Netgear R7000 and OpenVPN for Android App

OpenVPN says MD5 will stop working in April 2018. See screenshot.
Model: R7000P|Nighthawk AC2300 Smart WiFi Router with MU-MIMO
Message 11 of 139
96708
Apprentice

Re: Netgear R7000 and OpenVPN for Android App

Yup. I encourage you to file a BBB complaint. Need to throw the hammer down on NG or nothing gets down IMO.

Message 12 of 139
kuser
Star

Netgear has to upgrade to SHA256 or will face charges/damages (Due diligence/state of the art)

BBB complaint? Is that the way to go: https://www.bbb.org/consumer-complaints/file-a-complaint/get-started

 

Maybe we should all do that?

Model: R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 13 of 139
CyBuzz
Guide

Re: Netgear R7000 and OpenVPN for Android App

I agree.  This needs to be resolved.  i am on firmware V1.0.9.18_1.2.27 and just re-downloaded all my OpenVPN stuff and still get the messages.  Frustrating but not as much as it will be in May 😞

Using OpenVPN Connect 1.1.27(build 96)

 

I dont get any messages with Tunnelblick

Message 14 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

Netgear is using MD5 for the VPN?!

HOLY ****! That's terrible!

Not only this, but we can't even generate new keys on the router still.

Netgear security is a total joke if this is true.
Message 15 of 139
96708
Apprentice

Re: Netgear R7000 and OpenVPN for Android App

NG doesn't give a flying F how many times you call or write about MD5 here. So throw the hammer down and file the BBB complaint.

Message 16 of 139
CyBuzz
Guide

Re: Netgear R7000 and OpenVPN for Android App

BBB Complaint filed.

Message 17 of 139
96708
Apprentice

Re: Netgear R7000 and OpenVPN for Android App


Good for you. I filed one as well. Keep the pressure on. I consider this a simple napalm flyover spayobver on them to light them on fire so to speak. The sum all fears nuclear option is still available and that would be initiating the help of cybersecurity firms. Only with broad exposure in the news -- and damage to the image of the brand along with lost sales -- will they really do anything IMO.

Message 18 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

After spending a day or so, I have managed to replace the VPN certificates and keys on the R7000 and verified it's working using OpenVPN Client app for Android. Also verified the old, replaced keys are dead.

I can try to post a tutorial but it will take some time and will be quite long just because of the number of tools involved. I also can only post a Windows guide but it should be possible from any platform.

Anyway: My point is it's possible, but it definitely isn't easy.
Message 19 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

Also, if NG engineering is reading, I would say not only md5 signature but also size of the keys and DH param size are really not acceptable. Probably this has been optimized to minimize key generation time per unit, but I think this has to be improved.
Message 20 of 139
juched
Apprentice

Re: Netgear R7000 and OpenVPN for Android App

Please do post steps. I played with ASUS Merlin Voetex for my R7000 and liked it a lot. Cpu usage very low and I can control the VPN certificate directly. Just wanted to use circle.

At this point I am planning to buy a real circle and get off the offical netgear firmware.

But, it would be good to know how to change it if I wanted to.
Message 21 of 139
ClarDold
Apprentice

Re: Netgear R7000 and OpenVPN for Android App

I won't enjoy some pointers.
I don't need detailed steps. I might not want lots of hacking.
I have done things like mounting iso images for modification and such, using Linux tools.

If you message me directly, we could chat about how difficult it seems. I have done formal documentation.

If there's no update from Netgear, I might look to DD-WRT.
Model: R7000P|Nighthawk AC2300 Smart WiFi Router with MU-MIMO
Message 22 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

I have asked one of the moderators if it's okay to make a new post with steps, since I don't know if such things are allowed. I hope I get a thumbs up, since this will help people solve the problem themselves at least in the short term. When I hear back I'll follow up.

BTW, I did manage to get SHA256 certs working, and surviving reboot and firmware changes, so that's good news. Also, larger key sizes and DH params work too.
Message 23 of 139
Kilrah
Guide

Re: Netgear R7000 and OpenVPN for Android App

+1 for this. The main reason I bought an R7000 was becasue I wanted a built-in VPN server feature, but it's been a letdown to find that it's been completely neglected and using outdated security. Was a pain to find a client that would connect, and even that one will be dropping support for MD5 soon, rightfully so.

 

Netgear, you seem to be pretty reactive to release update for other security issues, please consider that one with the same level of importance.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 24 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

@ElaineM @JamesGL @ChristineT can one of you give me thumbs up that it's okay to post the steps to update the keys in a new thread here. I just want to confirm that it wouldn't break the rules to do so.
Message 25 of 139
Top Contributors
Discussion stats
Announcements

Orbi 770 Series