Has anyone heard from Netgear lately?    The deadline is approaching fast.       

Assuming they do release a fix, it will be interesting to see what they do.
    - What level protection will it provide?

    - Will it break the fix that this thread supples (I would guess it will)

    - How hard will it be to put the keys we developed with this fix back on the router.   (I don't want to have to distribute keys again)

I am half tempted to not install new fixes from Netgear..... but there are other security fixes that would be foolish to ignore.

Once again my thanks go out to Diggie3 for the fantastic work he did in figuring out a solution and documenting it so well.   

The silence from Netgear is ominous.

Almost all companies have that type of disclaimer.   Their lawyers insist on it.  

Many (most?) reputable companies still try to take care of things like this, particularly if it is an advertised feature.... they don't want to get a bad rep.

However,   as you say, we don't have to buy from them and if they don't fix this I will no longer be a customer of theirs because they will have lost my trust.     More importantly, I will be doing reviews of the product wherever I can so others find out about the lack of support for an advertised feature.     (An important part of capitalisim is having a well informed customer.... so I will help inform other customers of my personal experience)

Having said that,  I still hope Netgear comes through.       

So disappointed!  This is the way NG to server customer!

I have the situation worse than yours because R6220 can’t use the method mentioned by this post.

So, it looks like the certificates have been changed to SHA256:

https://kb.netgear.com/000057097/R7000-Firmware-Version-1-0-9-30-Hot-Fix

I'm not sure what settings will be changed, they suggest to make a record of everything before doing the upgrade.

---

stereoptic wrote:

So, it looks like the certificates have been changed to SHA256:

https://kb.netgear.com/000057097/R7000-Firmware-Version-1-0-9-30-Hot-Fix

 

I'm not sure what settings will be changed, they suggest to make a record of everything before doing the upgrade.

---

Congratulations to R7000 users, it seems NG completing the OpenVPN update for MD5 security issue:

New Features and Enhancements:

• OpenVPN cert update (from MD5 to SHA256)

Does that mean the new certificate must be generated after firmware upgrade?

First:   A thanks to NG for comming through with a fix.      

> Does that mean the new certificate must be generated after firmware upgrade?

I have not tried the fix yet.   However, my guess after the update we will have to export the keys and deploy them to our devices just like we did originally.    

If anyone gets a chance to look under the covers of what they implimented I would be interested in learning what you find.  (I won't be able to look for a week or so)   I am guessing they are using the same keys for everyone (just like before).   Consequently I am hoping I can go back in and put the keys that Diggie3 showed us how to generate back in.   (This will also save me from having to distribute keys again)

Can you elaborate on what you mean by same keys for everyone?

---

96708 wrote:

Can you elaborate on what you mean by same keys for everyone?

---

From what I have read on this and other NG Forum threads,   it sounds like the router does not generate keys.   Instead they ship with a set of keys (The same for every router).      If anyone else on the thread has a more definitive explination, please chime in.

---

pthorvald wrote:

---

96708 wrote:

Can you elaborate on what you mean by same keys for everyone?

---

From what I have read on this and other NG Forum threads,   it sounds like the router does not generate keys.   Instead they ship with a set of keys (The same for every router).      If anyone else on the thread has a more definitive explination, please chime in.

---

No, this is not exactly you mentioned.

In the past, Netgear router’s OpenVPN key/certificate was downloaded from router’s firmware setup page and stored to either PC or Mobile phones.  However, the key/certificate will never change no matter the router is “Reset” or even firmware upgraded.  That means, if someone had got the key/certificate before you can never stop him/her from connecting to your OpenVPN in the future.

---

pthorvald wrote:

First:   A thanks to NG for comming through with a fix.      

 

> Does that mean the new certificate must be generated after firmware upgrade?

I have not tried the fix yet.   However, my guess after the update we will have to export the keys and deploy them to our devices just like we did originally.    

 

If anyone gets a chance to look under the covers of what they implimented I would be interested in learning what you find.  (I won't be able to look for a week or so)   I am guessing they are using the same keys for everyone (just like before).   Consequently I am hoping I can go back in and put the keys that Diggie3 showed us how to generate back in.   (This will also save me from having to distribute keys again)

---

I am afraid that Diggie3‘s method no longer valid after this new firmware upgrade.  I hope somebody can tell if Diggie’s method can still work with this new firmware version.

---

Diggie3 wrote:
Hi all,

Unfortunately I have been absolutely slammed with work for some time, working nights and weekends, and I haven't had a chance to work on the VPN issue lately. I am glad people were able to update their certs and help one another around some issues.

I don't expect to be able to try the beta before the weekend at least. Just putting that out there in case anyone was waiting for a comment from me.

---

Diggie3,  you are a rock star!!!!     You have already done more than any of us could have hopped for.

Based upon what I am reading here about the certificates not being unique, I think that your solution is much more secure!

Before I purchased this router, I had built my own VPN using these instructions:

Build a Smart Raspberry Pi VPN Server: Auto Configuring, Plug-n-Play, Use from Anywhere (3rd Edition, Rev 2.0)

http://a.co/94t6c1t