This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
On closer inspection turns out my router is a D7000 not a R7000 (did try to update the thread last night but the storm knocked out my internet connection).
Definitely had the new certs copied over ok, they just get replaced after the reboot. Guessing the D7000 either needs some extra steps or won't support updating 😞
Thanks for the guide anyway - was good fun following 🙂
Hi Diggie3, great effort and considerate of you to share your knowledge. I read your document and started working through the steps time permitting. I like to share 3 observations so far.
1- At PUTTY step 2b you mention port 22 where in the screen you show 23. Port 23 is also in the result of 1h.
2- Given the long time telnet is enabled if I follow your sequence, why not first calculate the new keys, then enable telnet and so on. Then telnet is not open for that long.
3- The PDf is secured. I understand why. However all information needs to be typed over, including URLs to the software used.
4- Keys now generated. Had to change the paths in VARS.bat to point to the proper %home% and bin path.
Question: when updating the firmware, do I need to redo the change of keys?
Just finished. Instructions worked great and resultcis good, as expected. I did them in the sequence as nitrd in my earlier post. I also had to temparary change my router password, as identified by Someone67387463.
Here is why you’ll never get anywhere with NG. Read the box that your router came in: “Netgear makes no representations or warranties about this product’s compatibility with future standards.” Sounds like they don’t “have” to fix anything. And we sure don’t have to buy any future products from them.
Almost all companies have that type of disclaimer. Their lawyers insist on it.
Many (most?) reputable companies still try to take care of things like this, particularly if it is an advertised feature.... they don't want to get a bad rep.
However, as you say, we don't have to buy from them and if they don't fix this I will no longer be a customer of theirs because they will have lost my trust. More importantly, I will be doing reviews of the product wherever I can so others find out about the lack of support for an advertised feature. (An important part of capitalisim is having a well informed customer.... so I will help inform other customers of my personal experience)
Having said that, I still hope Netgear comes through.
First: A thanks to NG for comming through with a fix.
> Does that mean the new certificate must be generated after firmware upgrade?
I have not tried the fix yet. However, my guess after the update we will have to export the keys and deploy them to our devices just like we did originally.
If anyone gets a chance to look under the covers of what they implimented I would be interested in learning what you find. (I won't be able to look for a week or so) I am guessing they are using the same keys for everyone (just like before). Consequently I am hoping I can go back in and put the keys that Diggie3 showed us how to generate back in. (This will also save me from having to distribute keys again)
Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Can you elaborate on what you mean by same keys for everyone?
From what I have read on this and other NG Forum threads, it sounds like the router does not generate keys. Instead they ship with a set of keys (The same for every router). If anyone else on the thread has a more definitive explination, please chime in.
Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Can you elaborate on what you mean by same keys for everyone?
From what I have read on this and other NG Forum threads, it sounds like the router does not generate keys. Instead they ship with a set of keys (The same for every router). If anyone else on the thread has a more definitive explination, please chime in.
No, this is not exactly you mentioned.
In the past, Netgear router’s OpenVPN key/certificate was downloaded from router’s firmware setup page and stored to either PC or Mobile phones. However, the key/certificate will never change no matter the router is “Reset” or even firmware upgraded. That means, if someone had got the key/certificate before you can never stop him/her from connecting to your OpenVPN in the future.
First: A thanks to NG for comming through with a fix.
> Does that mean the new certificate must be generated after firmware upgrade?
I have not tried the fix yet. However, my guess after the update we will have to export the keys and deploy them to our devices just like we did originally.
If anyone gets a chance to look under the covers of what they implimented I would be interested in learning what you find. (I won't be able to look for a week or so) I am guessing they are using the same keys for everyone (just like before). Consequently I am hoping I can go back in and put the keys that Diggie3 showed us how to generate back in. (This will also save me from having to distribute keys again)
I am afraid that @Diggie3‘s method no longer valid after this new firmware upgrade. I hope somebody can tell if Diggie’s method can still work with this new firmware version.
Unfortunately I have been absolutely slammed with work for some time, working nights and weekends, and I haven't had a chance to work on the VPN issue lately. I am glad people were able to update their certs and help one another around some issues.
I don't expect to be able to try the beta before the weekend at least. Just putting that out there in case anyone was waiting for a comment from me.
Unfortunately I have been absolutely slammed with work for some time, working nights and weekends, and I haven't had a chance to work on the VPN issue lately. I am glad people were able to update their certs and help one another around some issues.
I don't expect to be able to try the beta before the weekend at least. Just putting that out there in case anyone was waiting for a comment from me.
Diggie3, you are a rock star!!!! You have already done more than any of us could have hopped for.
Modern NG routers, like the R7000, should have unique certificates*, with the main downside being that you only get one client certificate to share among all your clients. Fortunately we at least have manual steps to replace that cert if need.
*Caveat: I haven't checked the beta myself yet but I assume they're not doing anything stupid.
Older generation routers where you can't replace the certs: I would recommend not to use OpenVPN server on them.
It seems to regenerate certs indeed. After confirming there's a progress bar for a few seconds.Updated profile on phone client and it's happy, works and no more warning.
<<Attention>> A new OpenVPN configuration package for your router is available that enhances your router's security. You must update the OpenVPN configuration package for your router. Once the OpenVPN configuration package is updated, you must update the OpenVPN configuration package on all your clients; otherwise, your clients won't be able to access your router using the VPN feature.
Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
I downloaded the new firmware (you need to download the file as the router does not find this new beta firmware) and re-created new keys. OpenVPN is working fine on my android. Also, the upgrade did not seem to change any settings that I am aware of.
Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
