Orbi WiFi 7 RBE973
Reply

Netgear R7000 and OpenVPN for Android App

NG_Guru
Star

Re: Netgear R7000 and OpenVPN for Android App

looks like the certificates are stored in /usr/temp/openvpn 

files are: ca.crt  client.crt  client.key  dh1024.pem  server.crt  server.key

 

There may also be an easier way to enable telnet from the chek box at http://192.168.1.1/debug.htm

Message 51 of 139
kuser
Star

Re: Netgear R7000 and OpenVPN for Android App

This looks very promising, why is this page hidden?

Model: R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 52 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

Hi,

Please see attached. I hope it works for you, but it is 100% at your own risk.

It has honestly been exhausting putting this together so I hope NG will automate replacing keys through the UI in future.
Message 53 of 139
huttler
Aspirant

Re: Netgear R7000 and OpenVPN for Android App

Thank you for posting the fix! Hopefully I can try it out next weekend
Message 54 of 139
NG_Guru
Star

Re: Netgear R7000 and OpenVPN for Android App

I can confirm that step 1 can be avoided (R8500) by going to http://192.168.1.1/debug.htm and select "Enable Telnet "

Can anyone else confirm that telnet can be enabled this way ?

Message 55 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

NG_Guru: I'm open to writing in some shortcuts as long as it doesn't complicate the flow. I do know the magic packet has been around for years on all models/firmwares.

I'd love to hear from anyone who managed to replace their keys successfully so I know I didn't write in any major errors. I found a couple of insignificant typos I'll fix later in a 1.0.1 version.

Cheers, and good luck.
Message 56 of 139
NG_Guru
Star

Re: Netgear R7000 and OpenVPN for Android App

@Diggie3

 

Very nice instructions!

I was able to update my NightHawk R8500 using these instructions. 

For me the hardest part would have been creating the keys. Your directions were right on!

I verified old keys are dead and new keys are working.

My R8500 is hardware Ver1 and Firmware Version V1.0.2.116

 

Message 57 of 139
katsaw
Guide

Re: Netgear R7000 and OpenVPN for Android App


@Diggie3wrote:
Hi,

Please see attached. I hope it works for you, but it is 100% at your own risk.

It has honestly been exhausting putting this together so I hope NG will automate replacing keys through the UI in future.


Hi Diggie3,

 

Thank you very much for your useful instruction!

For my R6220 router with Firmware Version V1.1.0.64_1.0.1, I can enable telnet by select the option in http://192.168.XX.1/debug.htm.

However, the files in the directory /tmp/openvpn of your instructions are:

ca.crt
client.crt
client.key
dh1024.pem
server.crt
server.key

 

In my R6220 router, the files are:

ca.crt
ca.key
client.crt
client.csr
client.key
dh1024.pem
dh2048.pem
openss1.cnf
server.crt
server.csr
server.key
vars

 

More files found in the mentioned directory.  Do you have any idea about the other files?  Especially there are 2 pem files "dh1024.pem" & "dh2048.pem".

 

 

Message 58 of 139
katsaw
Guide

Re: Netgear R7000 and OpenVPN for Android App


@NG_Guruwrote:

I can confirm that step 1 can be avoided (R8500) by going to http://192.168.1.1/debug.htm and select "Enable Telnet "

Can anyone else confirm that telnet can be enabled this way ?


This also work for my R6220 router.  Selecting "Enable Telnet" will enbale the linux telnet server inside the R6220.

Message 59 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

That's interesting.

I'm not at home right now so I can't check my R7000 but one difference seems to be that on your device the OpenVPN configuration seems to be in /tmp/openvpn, whereas on my R7000 it's at a different location.

Can you please follow Step 4, then follow the part of Step 5 that tells you how to transfer the original keys from your router with tftp, but instead of sending originalkeys.zip send openss1.cnf. I would suspect looking at this file will tell us which files the router is really going to use. It might also be interesting to inspect "vars". Please check they have no confidential information before posting them, or send me links in a direct message.

It looks like some of those files are certificate signing requests that perhaps NG left on the device but I suspect don't actually need to be there (though you should leave them alone). ca.key probably is supposed to be on the key signing machine only so assuming your router is never signing new keys itself (afaik my R7000 doesn't) that probably isn't necessary either.
Message 60 of 139
katsaw
Guide

Re: Netgear R7000 and OpenVPN for Android App


@Diggie3wrote:
That's interesting.

I'm not at home right now so I can't check my R7000 but one difference seems to be that on your device the OpenVPN configuration seems to be in /tmp/openvpn, whereas on my R7000 it's at a different location.

Can you please follow Step 4, then follow the part of Step 5 that tells you how to transfer the original keys from your router with tftp, but instead of sending originalkeys.zip send openss1.cnf. I would suspect looking at this file will tell us which files the router is really going to use. It might also be interesting to inspect "vars". Please check they have no confidential information before posting them, or send me links in a direct message.

It looks like some of those files are certificate signing requests that perhaps NG left on the device but I suspect don't actually need to be there (though you should leave them alone). ca.key probably is supposed to be on the key signing machine only so assuming your router is never signing new keys itself (afaik my R7000 doesn't) that probably isn't necessary either.

Sure, I will try my best to get all the mentioned information.  If possible, I will get all these files and attached.

It may need couples of days because I am not familiar with the operation of tftp files transfer.

Anyway, thank you very much for your attention.

Message 61 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

No problem. Following those guide steps should give you all you need to enter the tftp commands, but another way is to type,

cat openss1.cnf
cat vars

This will dump their contents into the console, so it's a bit messy but you could then copy/paste.
Message 62 of 139
katsaw
Guide

Re: Netgear R7000 and OpenVPN for Android App


@Diggie3wrote:
No problem. Following those guide steps should give you all you need to enter the tftp commands, but another way is to type,

cat openss1.cnf
cat vars

This will dump their contents into the console, so it's a bit messy but you could then copy/paste.

Sorry, I have made a mistake.  The file name should be "openssl.cnf" instead of "openss1.cnf".

The text content of "openssl.cnf", "vars", "dh1024.pem" & "dh2048.pem" is attached in a single PDF file.

 

 

Message 63 of 139
katsaw
Guide

Re: Netgear R7000 and OpenVPN for Android App


@Diggie3wrote:
That's interesting.

I'm not at home right now so I can't check my R7000 but one difference seems to be that on your device the OpenVPN configuration seems to be in /tmp/openvpn, whereas on my R7000 it's at a different location.

Can you please follow Step 4, then follow the part of Step 5 that tells you how to transfer the original keys from your router with tftp, but instead of sending originalkeys.zip send openss1.cnf. I would suspect looking at this file will tell us which files the router is really going to use. It might also be interesting to inspect "vars". Please check they have no confidential information before posting them, or send me links in a direct message.

It looks like some of those files are certificate signing requests that perhaps NG left on the device but I suspect don't actually need to be there (though you should leave them alone). ca.key probably is supposed to be on the key signing machine only so assuming your router is never signing new keys itself (afaik my R7000 doesn't) that probably isn't necessary either.

I am interesting why you are curious about the location of OpenVPN configuration file (/tmp/openvpn) of my R6220 router?  Actually, I followed the instruction in page 32 & 33 of your provided PDF.  It also stated that we can find the configuration files in "tmp/openvpn".

 

It will be a problem for me since there are 2 pem files (dh1024.pem & dh2048.pem) I have insufficient knowledge to know which one the the correct Diffie Hellman parameters!

 

Pls let me know if you need more information of the files found in my Netgear R6220.

 

Thanks again.

Message 64 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

Please be careful which files you post, you should not post your dh params. Fortunately we are working on replacing those 😉

Okay so the files you posted (openssl.cnf and vars) are part of the easy rsa scripts to generate the original keys. I would continue to guess that unless the router itself was generating keys, which I doubt, they don't really need to be there, and we should just ignore them.

Try these commands:

cat /tmp/server_tap.conf
cat /tmp/server_tun.conf

On my R7000 the first few lines of each output will show the dh file that OpenVPN server is using.

You can probably also type this to verify which conf files are in use:

ps | grep openvpn

Unfortunately, at least on my R7000, /tmp itself stored on part of a file system that is not updatable (you can write to it but when you reboot your changes will most likely be gone). This leaves us only able to update the keys and not the OpenVPN configs themselves. If NG engineers wanted to be friendly and helpful us fix more problems ourselves in future they could think about making more writable overlays 🙂
Message 65 of 139
katsaw
Guide

Re: Netgear R7000 and OpenVPN for Android App


@Diggie3wrote:
Please be careful which files you post, you should not post your dh params. Fortunately we are working on replacing those 😉

Okay so the files you posted (openssl.cnf and vars) are part of the easy rsa scripts to generate the original keys. I would continue to guess that unless the router itself was generating keys, which I doubt, they don't really need to be there, and we should just ignore them.

Try these commands:

cat /tmp/server_tap.conf
cat /tmp/server_tun.conf

On my R7000 the first few lines of each output will show the dh file that OpenVPN server is using.

You can probably also type this to verify which conf files are in use:

ps | grep openvpn

Unfortunately, at least on my R7000, /tmp itself stored on part of a file system that is not updatable (you can write to it but when you reboot your changes will most likely be gone). This leaves us only able to update the keys and not the OpenVPN configs themselves. If NG engineers wanted to be friendly and helpful us fix more problems ourselves in future they could think about making more writable overlays 🙂

Many thanks for your quick reply!

 

The 2 files cannot be found in the specified directory.

/tmp/server_tap.conf
/tmp/server_tun.conf

 

After executing the command "ps | grep openvpn", the follow result found in the screen:

4685 root 1520 S grep openvpn
7189 root 3904 S /usr/sbin/openvpn --config /etc/server.conf
7191 root 4196 S /usr/sbin/openvpn --config /etc/server_phone.conf

 

Message 66 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

Okay, your router seems to be significantly different.

Type:
cat /etc/server.conf
cat /etc/server_phone.conf

That'll let you see your OpenVPN configs.
Message 67 of 139
katsaw
Guide

Re: Netgear R7000 and OpenVPN for Android App


@Diggie3wrote:
Okay, your router seems to be significantly different.

Type:
cat /etc/server.conf
cat /etc/server_phone.conf

That'll let you see your OpenVPN configs.

Pls find the outcome below by cut & paste of the text output.  It seems the file “/etc/server_phone.conf” will be the true config of my OpenVPN server because I am currently using port 8443 (UDP). 

 

# cat /etc/server.conf
dh /tmp/openvpn/dh1024.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/server.crt
key /tmp/openvpn/server.key
dev tap0
server-bridge
proto udp
port 12974
keepalive 10 120
verb 5
mute 5
log-append /tmp/openvpn_log
writepid /tmp/openvpnd.pid
mtu-disc yes
topology subnet
cipher AES-128-CBC
auth sha1
tls-server
push "redirect-gateway def1 bypass-dhcp"
client-to-client
duplicate-cn
comp-lzo
fast-io
push "route 192.168.11.0 255.255.255.0"
push "route-delay 5"

 

 


# cat /etc/server_phone.conf
dh /tmp/openvpn/dh1024.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/server.crt
key /tmp/openvpn/server.key
dev tun
server 192.168.2.0 255.255.255.0
proto udp
port 8443
keepalive 10 120
verb 5
mute 5
log-append /tmp/openvpn_log
writepid /tmp/openvpnd.pid
mtu-disc yes
topology subnet
cipher AES-128-CBC
auth sha1
tls-server
push "redirect-gateway def1 bypass-dhcp"
client-to-client
duplicate-cn
comp-lzo
fast-io
push "route 192.168.11.0 255.255.255.0"

#

 

 

Message 68 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

The forum seems to have lost my last post so hopefully this doesn't post twice.

 

Things we can see:

1. Based on your file list from /tmp/openvpn, we can see that your router uses "client" as the base name for client keys/certificates, and "server" for the base name for server keys/certificates. That's compatible with the PDF.

 

2. Based on the OpenVPN config files you dumped, we can see the OpenVPN server is loading dh1024.pem. That's compatible with the PDF.

 

As I wrote earlier, I think some of the extra files are:

- Copies of the easy rsa scripts used to create your keys originally, but I suspect unused by the router

- Certificate signing requests, which are usually part of the easy rsa key generation process, and I suspect also unused by the router

- dh2048.pem I don't know why this is here. It might be unused, but I can't say for sure. I don't know if your model has some other service that my R7000 doesn't have.

 

So in summary, my best guess would be that the steps in the guide should work for you. The choice to proceed and the risk involved in that is yours. There is always some risk that our models are different enough that you have a different version of OpenVPN that is incompatible with the new keys for some reason, though I wouldn't expect this. Please realize I can only provide my best guess since I don't have access to your model.

 

If you do decide to go ahead:

- Absolutely follow Step 5 to backup the files that will be replaced, and to know how to restore them if you need to.

- You could also do this:

 

zip -9 fullbackup.zip *

 

... to try to fully backup all the original files. Check that the zip utility lists all of the files you found in your /tmp/openvpn folder as it works.

 

 

 

Message 69 of 139
katsaw
Guide

Re: Netgear R7000 and OpenVPN for Android App


@Diggie3wrote:

The forum seems to have lost my last post so hopefully this doesn't post twice.

 

Things we can see:

1. Based on your file list from /tmp/openvpn, we can see that your router uses "client" as the base name for client keys/certificates, and "server" for the base name for server keys/certificates. That's compatible with the PDF.

 

2. Based on the OpenVPN config files you dumped, we can see the OpenVPN server is loading dh1024.pem. That's compatible with the PDF.

 

As I wrote earlier, I think some of the extra files are:

- Copies of the easy rsa scripts used to create your keys originally, but I suspect unused by the router

- Certificate signing requests, which are usually part of the easy rsa key generation process, and I suspect also unused by the router

- dh2048.pem I don't know why this is here. It might be unused, but I can't say for sure. I don't know if your model has some other service that my R7000 doesn't have.

 

So in summary, my best guess would be that the steps in the guide should work for you. The choice to proceed and the risk involved in that is yours. There is always some risk that our models are different enough that you have a different version of OpenVPN that is incompatible with the new keys for some reason, though I wouldn't expect this. Please realize I can only provide my best guess since I don't have access to your model.

 

If you do decide to go ahead:

- Absolutely follow Step 5 to backup the files that will be replaced, and to know how to restore them if you need to.

- You could also do this:

 

zip -9 fullbackup.zip *

 

... to try to fully backup all the original files. Check that the zip utility lists all of the files you found in your /tmp/openvpn folder as it works.

 

 

 


Thank you so much for your professional advice!

I understand every step we make will have certain level of risk.  However, you have tried your best to help me analyse the situation.  Total loss of the router will always be the worst case scenario and I am always prepared for that.

 

I will backup all files in the said directory to to reduce the risk.  

Now, I must first learn how to generate the new certificate/key in your instructions 3b to 3e.

 

Is it required to change the “/tmp/server_phone.conf” file when changing a stronger encryption method?

It is because OpenVPN connect for both Android & iOS no longer support MD5 after April 30.

Message 70 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

It should not be required to change “/tmp/server_phone.conf”, and in fact it is probably not possible to do that either.

 

The MD5 algorithm is used by the original certificates. Following the PDF should cause these to be replaced. The PDF has steps to produce certificates using SHA256, which is much stronger.

Message 71 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

@NG_Guru I went to investigate http://192.168.1.1/debug.htm . I found that:

* It did not exist on R7000 FW versions 1.7.x.

* It does exist on the latest FW version, 1.9.26, but the code to display and send the telnet option to the router have been commented out in debug.htm, so it's not user accessible. This FW is less than a month old.

 

Therefore I think this option is very likely to be dependent on which model you have and which firmware version you are using. Clearly the page doesn't always exist, and if it does exist NG may be disabling that option.

Message 72 of 139
Diggie3
Luminary

Re: Netgear R7000 and OpenVPN for Android App

Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.

 

Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:

 

http://192.168.1.1/debug.htm

 

If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.

Message 73 of 139
katsaw
Guide

Re: Netgear R7000 and OpenVPN for Android App


@Diggie3wrote:

Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.

 

Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:

 

http://192.168.1.1/debug.htm

 

If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.


Thanks for the new update of your instruction guide.

I am so luck that my R6220 router still have the "debug.htm" hidden page and with the "enable telnet" option.

 

Thanks for answering all my questions in these days.

No matter I can successfully change the VPN key / certificate with your method or not, I will get back to this post to confirm.

Message 74 of 139
fcol
Tutor

Re: Netgear R7000 and OpenVPN for Android App

Diggie3 - I just followed your 1.0.1 instructions and successfully replaced my keys onto my R7000.  Those instructions were excellent.  Thank you so much for taking the time to do this!

Message 75 of 139
Top Contributors
Discussion stats
Announcements

Orbi 770 Series