Orbi WiFi 7 RBE973
Reply

Re: Netgear R7000 and OpenVPN for Android App

Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

There are two possibilities:
- newkeys.zip has the old keys inside
- you weren't cd'd into the right folder when you unzipped

Well, there are of course many possibilities but those are the most likely!
Message 101 of 139
BusterGonad
Aspirant

Re: Netgear R7000 and OpenVPN for Android App

Hey @Diggie3 - thanks for responding.

 

On closer inspection turns out my router is a D7000 not a R7000 (did try to update the thread last night but the storm knocked out my internet connection).

 

Definitely had the new certs copied over ok, they just get replaced after the reboot.  Guessing the D7000 either needs some extra steps or won't support updating 😞

 

Thanks for the guide anyway - was good fun following 🙂

Message 102 of 139

Re: Netgear R7000 and OpenVPN for Android App

Hi Diggie3, great effort and considerate of you to share your knowledge. I read your document and started working through the steps time permitting. I like to share 3 observations so far.

1- At PUTTY step 2b you mention port 22 where in the screen you show 23. Port 23 is also in the result of 1h.

2- Given the long time telnet is enabled if I follow your sequence, why not first calculate the new keys, then enable telnet and so on. Then telnet is not open for that long.

3- The PDf is secured. I understand why. However all information needs to be typed over, including URLs to the software used.

4- Keys now generated. Had to change the paths in VARS.bat to point to the proper %home% and bin path.

 

Question: when updating the firmware, do I need to redo the change of keys?

Message 103 of 139

Re: Netgear R7000 and OpenVPN for Android App

Just finished. Instructions worked great and resultcis good, as expected. I did them in the sequence as nitrd in my earlier post. I also had to temparary change my router password, as identified by Someone67387463

Message 104 of 139
pthorvald
Guide

Re: Netgear R7000 and OpenVPN for Android App

The silence from Netgear is ominous.

Model: R6700|Nighthawk AC1750 Smart WiFi Router
Message 105 of 139
NG_Guru
Star

Re: Netgear R7000 and OpenVPN for Android App

Here is why you’ll never get anywhere with NG. Read the box that your router came in: “Netgear makes no representations or warranties about this product’s compatibility with future standards.”
Sounds like they don’t “have” to fix anything. And we sure don’t have to buy any future products from them.
Message 106 of 139
pthorvald
Guide

Re: Netgear R7000 and OpenVPN for Android App

Almost all companies have that type of disclaimer.   Their lawyers insist on it.  

 

Many (most?) reputable companies still try to take care of things like this, particularly if it is an advertised feature.... they don't want to get a bad rep.

 

However,   as you say, we don't have to buy from them and if they don't fix this I will no longer be a customer of theirs because they will have lost my trust.     More importantly, I will be doing reviews of the product wherever I can so others find out about the lack of support for an advertised feature.     (An important part of capitalisim is having a well informed customer.... so I will help inform other customers of my personal experience)

 

Having said that,  I still hope Netgear comes through.       

Model: R6700|Nighthawk AC1750 Smart WiFi Router
Message 107 of 139
katsaw
Guide

Re: Netgear R7000 and OpenVPN for Android App

So disappointed!  This is the way NG to server customer!

 

I have the situation worse than yours because R6220 can’t use the method mentioned by this post.

Message 108 of 139
stereoptic
Tutor

Re: Netgear R7000 and OpenVPN for Android App

So, it looks like the certificates have been changed to SHA256:

https://kb.netgear.com/000057097/R7000-Firmware-Version-1-0-9-30-Hot-Fix

 

I'm not sure what settings will be changed, they suggest to make a record of everything before doing the upgrade.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 109 of 139
katsaw
Guide

Re: Netgear R7000 and OpenVPN for Android App


@stereoptic wrote:

So, it looks like the certificates have been changed to SHA256:

https://kb.netgear.com/000057097/R7000-Firmware-Version-1-0-9-30-Hot-Fix

 

I'm not sure what settings will be changed, they suggest to make a record of everything before doing the upgrade.


Congratulations to R7000 users, it seems NG completing the OpenVPN update for MD5 security issue:

 

New Features and Enhancements:

  • OpenVPN cert update (from MD5 to SHA256)

Does that mean the new certificate must be generated after firmware upgrade?

Message 110 of 139
pthorvald
Guide

Re: Netgear R7000 and OpenVPN for Android App

First:   A thanks to NG for comming through with a fix.      

 

> Does that mean the new certificate must be generated after firmware upgrade?

I have not tried the fix yet.   However, my guess after the update we will have to export the keys and deploy them to our devices just like we did originally.    

 

If anyone gets a chance to look under the covers of what they implimented I would be interested in learning what you find.  (I won't be able to look for a week or so)   I am guessing they are using the same keys for everyone (just like before).   Consequently I am hoping I can go back in and put the keys that Diggie3 showed us how to generate back in.   (This will also save me from having to distribute keys again)

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 111 of 139
96708
Apprentice

Re: Netgear R7000 and OpenVPN for Android App

Can you elaborate on what you mean by same keys for everyone?

Message 112 of 139
pthorvald
Guide

Re: Netgear R7000 and OpenVPN for Android App


@96708 wrote:

Can you elaborate on what you mean by same keys for everyone?


From what I have read on this and other NG Forum threads,   it sounds like the router does not generate keys.   Instead they ship with a set of keys (The same for every router).      If anyone else on the thread has a more definitive explination, please chime in.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 113 of 139
katsaw
Guide

Re: Netgear R7000 and OpenVPN for Android App


@pthorvald wrote:

@96708 wrote:

Can you elaborate on what you mean by same keys for everyone?


From what I have read on this and other NG Forum threads,   it sounds like the router does not generate keys.   Instead they ship with a set of keys (The same for every router).      If anyone else on the thread has a more definitive explination, please chime in.


No, this is not exactly you mentioned.

In the past, Netgear router’s OpenVPN key/certificate was downloaded from router’s firmware setup page and stored to either PC or Mobile phones.  However, the key/certificate will never change no matter the router is “Reset” or even firmware upgraded.  That means, if someone had got the key/certificate before you can never stop him/her from connecting to your OpenVPN in the future.

Message 114 of 139
katsaw
Guide

Re: Netgear R7000 and OpenVPN for Android App


@pthorvald wrote:

First:   A thanks to NG for comming through with a fix.      

 

> Does that mean the new certificate must be generated after firmware upgrade?

I have not tried the fix yet.   However, my guess after the update we will have to export the keys and deploy them to our devices just like we did originally.    

 

If anyone gets a chance to look under the covers of what they implimented I would be interested in learning what you find.  (I won't be able to look for a week or so)   I am guessing they are using the same keys for everyone (just like before).   Consequently I am hoping I can go back in and put the keys that Diggie3 showed us how to generate back in.   (This will also save me from having to distribute keys again)


I am afraid that @Diggie3‘s method no longer valid after this new firmware upgrade.  I hope somebody can tell if Diggie’s method can still work with this new firmware version.

Message 115 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

Hi all,

Unfortunately I have been absolutely slammed with work for some time, working nights and weekends, and I haven't had a chance to work on the VPN issue lately. I am glad people were able to update their certs and help one another around some issues.

I don't expect to be able to try the beta before the weekend at least. Just putting that out there in case anyone was waiting for a comment from me.
Message 116 of 139
pthorvald
Guide

Re: Netgear R7000 and OpenVPN for Android App


@Diggie3 wrote:
Hi all,

Unfortunately I have been absolutely slammed with work for some time, working nights and weekends, and I haven't had a chance to work on the VPN issue lately. I am glad people were able to update their certs and help one another around some issues.

I don't expect to be able to try the beta before the weekend at least. Just putting that out there in case anyone was waiting for a comment from me.

Diggie3,  you are a rock star!!!!     You have already done more than any of us could have hopped for.

Message 117 of 139
stereoptic
Tutor

Re: Netgear R7000 and OpenVPN for Android App

Based upon what I am reading here about the certificates not being unique, I think that your solution is much more secure!

 

Before I purchased this router, I had built my own VPN using these instructions:

Build a Smart Raspberry Pi VPN Server: Auto Configuring, Plug-n-Play, Use from Anywhere (3rd Edition, Rev 2.0)

http://a.co/94t6c1t

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 118 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

Regarding certificate uniqueness,

Modern NG routers, like the R7000, should have unique certificates*, with the main downside being that you only get one client certificate to share among all your clients. Fortunately we at least have manual steps to replace that cert if need.

*Caveat: I haven't checked the beta myself yet but I assume they're not doing anything stupid.

Older generation routers where you can't replace the certs: I would recommend not to use OpenVPN server on them.
Message 119 of 139
Mrbobs1
Tutor

Re: Netgear R7000 and OpenVPN for Android App


@jesperch wrote:

has anyone tried the most recent hot fix.  it lists Security

R7000 Firmware Version 1.0.9.26 - Hot Fix

Bug Fixes:

  • Fixes the Wi-Fi disconnect issue caused by a flood of broadcast traffic.
  • Fixes security issues.

 

https://kb.netgear.com/000053870/R7000-Firmware-Version-1-0-9-26-Hot-Fix

 


Do the have an update for the R7000P version yet  ?

  Can't seem to finid it anywhere.

 

Model: R7000P|Nighthawk AC2300 Smart WiFi Router with MU-MIMO
Message 120 of 139
Kilrah
Guide

Re: Netgear R7000 and OpenVPN for Android App

It seems to regenerate certs indeed. After confirming there's a progress bar for a few seconds.Updated profile on phone client and it's happy, works and no more warning.

 

<<Attention>> A new OpenVPN configuration package for your router is available that enhances your router's security. You must update the OpenVPN configuration package for your router. Once the OpenVPN configuration package is updated, you must update the OpenVPN configuration package on all your clients; otherwise, your clients won't be able to access your router using the VPN feature.
Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 121 of 139
stereoptic
Tutor

Re: Netgear R7000 and OpenVPN for Android App

I downloaded the new firmware (you need to download the file as the router does not find this new beta firmware) and re-created new keys.  OpenVPN is working fine on my android.  Also, the upgrade did not seem to change any settings that I am aware of.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 122 of 139
Frankyvee
Guide

Re: Netgear R7000 and OpenVPN for Android App

Can you tell me what the exact firmware update file name or version # that you used?

Thank You

Message 123 of 139
stereoptic
Tutor

Re: Netgear R7000 and OpenVPN for Android App

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 124 of 139
Frankyvee
Guide

Re: Netgear R7000 and OpenVPN for Android App

Thank You soo much!!!  I got it working!  I can get to my cameras now from the outside.....sweet.

Message 125 of 139
Top Contributors
Discussion stats
Announcements

Orbi 770 Series