Re: Nighthawk R7000 openvpn Cannot load certificate file client.crt

---

@discountcoffee wrote:

Hello 

I have Nighthawk R7000 running firmware V1.0.11.136_10.2.120 and I was wanting to run a vpn.

 

---

Which sort of VPN? One that lets you hide your location as you wander around the Internet? Or one that lets you access your own network when you are out and about?

---

I followed the instructions about how to turn on the vpn service and installing openvpn.

 

---

There have been several recent conversations about openvpn.

Search - NETGEAR Communities – openvpn

Did you check there?

@michaelkenward 

one that lets me access my own network from a remote location.

---

@discountcoffee wrote:

Hello 

I have Nighthawk R7000 running firmware V1.0.11.136_10.2.120 and I was wanting to run a vpn.

 

I followed the instructions about how to turn on the vpn service and installing openvpn.

 

When I try to run openvpn I get this error in the log:
2023-11-10 14:19:55 us=703000 MANAGEMENT: Client disconnected
2023-11-10 14:19:55 us=703000 Cannot load certificate file client.crt
2023-11-10 14:19:55 us=703000 Exiting due to fatal error

 

Now searching here I found that this was a previous issue that was fixed in version 1.0.9.30 but that was back in 2018.

 

Is there any solution now for the latest firmware?

 

thanks

 

---

When you run the OpenVPN client software and get these errors, how is your remote device connected to the internet?

What device are you running the OpenVPN client software on?

@Kitsap 

its a fiber connection on a orbi mesh network and its a windows 11 pc running the latest openvpn software.

the nighthawk has a static ip.

I've tried it on our local network on a windows 10 pc and have the same exact error.

I believe the problem is with the certificate the Nighthawk R7000 is generating.

I can open the cert myself and see that it is not blank and it looks valid.

---

@discountcoffee wrote:

@Kitsap 

its a fiber connection on a orbi mesh network and its a windows 11 pc running the latest openvpn software.

the nighthawk has a static ip.

 

I've tried it on our local network on a windows 10 pc and have the same exact error.

 

I believe the problem is with the certificate the Nighthawk R7000 is generating.

I can open the cert myself and see that it is not blank and it looks valid.

 

---

You cannot test an Open VPN connection from the same network where the Open VPN server on the router is connected.

If you have a mobile device, you can disconnect from the local Wi-Fi and test over a cell service connection.  With a laptop computer, you will have to connect to the internet from somewhere besides at home where your Open VPN server is connected.

---

@discountcoffee wrote:

 

its a fiber connection on a orbi mesh network and its a windows 11 pc running the latest openvpn software.

the nighthawk has a static ip.

 

Does that mean the the R7000P is in AP mode?

---

 

I believe the problem is with the certificate the Nighthawk R7000 is generating.

I can open the cert myself and see that it is not blank and it looks valid.

 

---

Probably not:

Disabled Features on the Router when set to AP Mode | Answer | NETGEAR Support

You have significant network configuration issues to be worked out before attempting to run an Open VPN server on your R7000.

The fiber connection to the internet comes through an Optical Network Terminal (ONT).  It is possibly a combination device of some type?  What is the brand name and model number of your ONT?

From your ONT you connect to an Orbi mesh system.  The Orbi is possibly your router.  What is the model number of you Orbi system?

Your R7000 connects via Ethernet to your Orbi system.  If your R7000 is configured in router mode it will be constantly in conflict with the router in your Orbi.  You cannot have both systems running as routers on the same network.

If you configure your R7000 as an access point, one of the features that gets disabled is the Open VPN server.

@Kitsap @michaelkenward 

home network:

fiber to orbi router to multiple pcs

work network

cable modem to nighthawk to multiple pcs

The networking is pretty basic.. please remember the original error from the openvpn client:

"Cannot load certificate file client.crt"

That is the problem.

If openvpn can't even open the client.crt it can't connect. 

my networking is fine.

---

@discountcoffee wrote:

 

home network:

fiber to orbi router to multiple pcs

 

---

Where does the R7000 come into this? And is it in the right mode to work on your network?

---

my networking is fine.

---

Not without an answer to those questions.

---

@discountcoffee wrote:

@Kitsap @michaelkenward 

 

home network:

fiber to orbi router to multiple pcs

 

work network

cable modem to nighthawk to multiple pcs

 

The networking is pretty basic.. please remember the original error from the openvpn client:

"Cannot load certificate file client.crt"

 

That is the problem.

 

If openvpn can't even open the client.crt it can't connect. 

 

my networking is fine.

---

And it will not connect if your are trying to test from a machine connected to the same network as the Open VPN server.

Are you trying to connect from your work network on the cable system to your home network on your fiber system?

What version of the Open VPN client application are you using?

Did you download it from here?  https://openvpn.net/community-downloads/

Did you generate the configuration package download after you finished selection of your options?

The configuration package for Windows contains four files.  Did you get all four of them copied to the appropriate directory on the machine with the client application?

What is the brand name and model number of the cable modem connected between your R7000 and the internet?

@Kitsap 

my earlier reply didn't go through for some reason (my cable modem is not the problem)

I've tested it from the remote pc and get the same error.

I am trying to connect from home to work.

I am using OpenVPN-2.6.7-I001-amd64 downloaded from the same place you linked to as well as what the instructions linked to.

below is a screen shot of the nighthawk instructions, the files the nighthawk generated in the correct OpenVPN folder and the OpenVPN network adapter.

Can we get past the basics and solve the problem... which is OpenVPN "Cannot load certificate file client.crt"

Here is the error in OpenVPN's log file:

2023-11-10 14:19:54 us=781000 OpenVPN 2.6.7 [git:v2.6.7/53c9033317b3b8fd] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Nov 8 2023
2023-11-10 14:19:54 us=781000 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-11-10 14:19:54 us=781000 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2023-11-10 14:19:54 us=781000 DCO version: 1.0.0
2023-11-10 14:19:54 us=781000 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2023-11-10 14:19:54 us=781000 Need hold release from management interface, waiting...
2023-11-10 14:19:55 us=281000 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:52292
2023-11-10 14:19:55 us=390000 MANAGEMENT: CMD 'state on'
2023-11-10 14:19:55 us=390000 MANAGEMENT: CMD 'log on all'
2023-11-10 14:19:55 us=687000 MANAGEMENT: CMD 'echo on all'
2023-11-10 14:19:55 us=687000 MANAGEMENT: CMD 'bytecount 5'
2023-11-10 14:19:55 us=687000 MANAGEMENT: CMD 'state'
2023-11-10 14:19:55 us=687000 MANAGEMENT: CMD 'hold off'
2023-11-10 14:19:55 us=687000 MANAGEMENT: CMD 'hold release'
2023-11-10 14:19:55 us=687000 WARNING: No server certificate verification method has been enabled. See ://openvpn.net/howto.html#mitm for more info.
2023-11-10 14:19:55 us=703000 OpenSSL: error:0A00018E:SSL routines::ca md too weak:
2023-11-10 14:19:55 us=703000 MANAGEMENT: Client disconnected
2023-11-10 14:19:55 us=703000 Cannot load certificate file client.crt
2023-11-10 14:19:55 us=703000 Exiting due to fatal error

@Kitsap 

my replies are not going through

@Kitsap not sure if its the image I'm trying to attach or what but here is my reply without the image embed...I've attached at the bottom of the post. 

@Kitsap 

my earlier reply didn't go through for some reason (my cable modem is not the problem)

I've tested it from the remote pc and get the same error.

I am trying to connect from home to work.

I am using OpenVPN-2.6.7-I001-amd64 downloaded from the same place you linked to as well as what the instructions linked to.

below is a screen shot of the nighthawk instructions, the files the nighthawk generated in the correct OpenVPN folder and the OpenVPN network adapter.

Can we get past the basics and solve the problem... which is OpenVPN "Cannot load certificate file client.crt"

Here is the error in OpenVPN's log file:

2023-11-10 14:19:54 us=781000 OpenVPN 2.6.7 [git:v2.6.7/53c9033317b3b8fd] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Nov 8 2023
2023-11-10 14:19:54 us=781000 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-11-10 14:19:54 us=781000 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2023-11-10 14:19:54 us=781000 DCO version: 1.0.0
2023-11-10 14:19:54 us=781000 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2023-11-10 14:19:54 us=781000 Need hold release from management interface, waiting...
2023-11-10 14:19:55 us=281000 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:52292
2023-11-10 14:19:55 us=390000 MANAGEMENT: CMD 'state on'
2023-11-10 14:19:55 us=390000 MANAGEMENT: CMD 'log on all'
2023-11-10 14:19:55 us=687000 MANAGEMENT: CMD 'echo on all'
2023-11-10 14:19:55 us=687000 MANAGEMENT: CMD 'bytecount 5'
2023-11-10 14:19:55 us=687000 MANAGEMENT: CMD 'state'
2023-11-10 14:19:55 us=687000 MANAGEMENT: CMD 'hold off'
2023-11-10 14:19:55 us=687000 MANAGEMENT: CMD 'hold release'
2023-11-10 14:19:55 us=687000 WARNING: No server certificate verification method has been enabled. See  for more info.
2023-11-10 14:19:55 us=703000 OpenSSL: error:0A00018E:SSL routines::ca md too weak:
2023-11-10 14:19:55 us=703000 MANAGEMENT: Client disconnected
2023-11-10 14:19:55 us=703000 Cannot load certificate file client.crt
2023-11-10 14:19:55 us=703000 Exiting due to fatal error

Yes, I can see the image you attached.

Your cable modem could well be the problem if it's configuration prevents the R7000 from having direct access to the internet via a WAN IP address.

Repeat question.  What is the brand name and model number of your cable modem?

Do you use a Dynamic Domain Name Server service like NO-IP?

Attached is a VPN configuration snip that is running with a file download to an outside connection as I write this.

For test purposes, you might give it a try.

@Kitsap 

I have a static ip on the nighthawk

the cable modem it is connect to is a hitron cgnm-2250

Again if OpenVPN cannot open the file client.crt the connection hasn't even made it outside of the home network.

I think the problem is with the client.crt file that the Nighthawk generated. 

---

@discountcoffee wrote:

@Kitsap 

I have a static ip on the nighthawk

 

the cable modem it is connect to is a hitron cgnm-2250

 

Again if OpenVPN cannot open the file client.crt the connection hasn't even made it outside of the home network.

 

I think the problem is with the client.crt file that the Nighthawk generated. 

 

 

---

The Hitron CGNM-2250 is the problem.  It is a combination modem/router and it is preventing your downstream connected R7000 from obtaining a WAN IP address.  The WAN IP address as assigned by your ISP is required for the VPN server to validate the certificate when a connection is established.  Looking around on the net a little bit shows many topics related to users attempting to put the Hitron CGNM-2250 into bridge mode.  Very few hints at success.  Sometimes it is called modem only mode.  No router function and no Wi-Fi with WAN IP address pass through among other things.

The best recommendation I can give you is to replace the modem/gateway unit.  Preferably with a device that is a modem only and then use your R7000 router connected downstream.

The VPN certificate generated by the R7000 is fine.  The network device you have connected upstream of the router, and thus your network, is not fine.

Good luck.

@Kitsap 

I was able to use openvpn's cloud connexa without issues to setup a vpn through the hitron.

I still believe the problem is the original error from the basic openvpn client which was it couldn't open the certificate file.

---

@discountcoffee wrote:

@Kitsap 

I was able to use openvpn's cloud connexa without issues to setup a vpn through the hitron.

 

I still believe the problem is the original error from the basic openvpn client which was it couldn't open the certificate file.

 

---

Several months into this issue, I can now report success with a solution.  At least on my part.

I have several Windows 10 computers in various locations, a variety of laptops and desktops with both Windows 10 Home and Pro installed.  About half would connect back to the router using the Open VPN client software and about half would not.  A combination of Open VPN client software and configuration files from versions 2.6.5 forward were in stalled.

I could not find a common thread as to why some of the machines would work and some not.  Went through many configuration file sets and Open VPN client software versions 2.6.5 forward.  On a couple of machines I even did a full clean install of Windows 10.

This past week I took another run at the issue.  Before taking the Windows 10 configurations too far apart, I installed the new client software version 2.6.10 and created a new set of configuration files.

The end result was it connected fine and worked like a charm with remote access to various devices on my home LAN.