Reply

Re: 17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000

Ceepeebee
Tutor

17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000

Hi all,

 

I just wanted to share my experience.

 

I'm a reviewer of mobile technology and consumer gadgets and I actually have been reviewing Netgear products for a few years. Prior to the X10 I used an R7000 and had nothing but issues in the last 12 months with WiFi drops and poor performance.

 

My Netgear contact got in touch and we discussed whether the same issues were about in the R9000. I've been using it absolutely religiously now for a fair few months, but there is one area that still fails, constantly. The VPN service.

 

Firstly, the fact that I cannot create a VPN unless I am using a static IP or DDNS service is just mental. I am using a private host, but I can't configure it as the VPN service won't let me add it in. On older firmware/routers I could take the warning under advisement and proceed anyway, safe in the knowledge I can change the config. Anyway, that's the least of my issues.

 

No matter what firmware I use, or settings I configure, every certificate delivered by the router itself is expired (1901) on creation. I'm led to believe that this might be because of the hard-coded nature of the certificate creation.

 

I had direct access to some high-end engineers to assist me in the last few months on this and subsequently, I had access to the latest firmwares well before the majority did. Whilst this support was top notch (really quality information from the team there to be fair) nothing has delivered a resolution. So, the long and short is I'm sitting here with the X10, delivering good performance, but I'm unable to unlock one of the most crucial features for me in a router, a VPN connection whilst away from home.

 

Does ANYBODY out there have any information about how this has been resolved, outwith obtaining a replacement unit? I've approach Netgear on that front and I'm awaiting a response, but this is a serious issue that I'm sure is affecting many more people than just me (as is evidenced by some of the posts).

 

 

Model: R9000|Nighthawk X10 AD7200 Smart WiFi Router
Message 1 of 14
schumaku
Guru

Re: 17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000


@Ceepeebee wrote:

Firstly, the fact that I cannot create a VPN unless I am using a static IP or DDNS service is just mental. I am using a private host, but I can't configure it as the VPN service won't let me add it in.

 


Just for better understanding - talking of the VPN Server on the R9000 does require (not sure about the fixed IP part) a [Netgear] DDNS configured, there is no alternate choice to specify a different fully qualified hostname indeed. No other way than edit the .ovpn config - that's what we do here, too.  

 

@Ceepeebee wrote:

 

No matter what firmware I use, or settings I configure, every certificate delivered by the router itself is expired (1901) on creation. I'm led to believe that this might be because of the hard-coded nature of the certificate creation.

The certificate creation is slightly borked - if the R9000 has not set a current date/time, the certificates are created a) regardless, and b) somehow it's marked for "already created the new certificates" - thus even if the date/time is correct on later boots, the certificates are not recreated.

 

@Ceepeebee wrote:

 

I had direct access to some high-end engineers to assist me in the last few months on this and subsequently, I had access to the latest firmwares well before the majority did. Whilst this support was top notch (really quality information from the team there to be fair) nothing has delivered a resolution. So, the long and short is I'm sitting here with the X10, delivering good performance, but I'm unable to unlock one of the most crucial features for me in a router, a VPN connection whilst away from home. 

Had challenged them several times for an option or at least some shell process for forcing the creation of a new set of self-signed certificates. One typical example would be if the information (specifically the private key) was leaked or suspect stolen. Re-creating certificates should be possible from the Genie Web UI - it's a standard security admin task in my opinion. Never heart back since then...

 

Message 2 of 14
schumaku
Guru

Re: 17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000

@Ceepeebee - Email n+1 sent out on the similar subject. Included @johngm in the distribution as his business unit Orbi Pro is affected, too.

Message 3 of 14
Ceepeebee
Tutor

Re: 17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000


@schumaku wrote:

@Ceepeebee wrote:

Firstly, the fact that I cannot create a VPN unless I am using a static IP or DDNS service is just mental. I am using a private host, but I can't configure it as the VPN service won't let me add it in.

 


Just for better understanding - talking of the VPN Server on the R9000 does require (not sure about the fixed IP part) a [Netgear] DDNS configured, there is no alternate choice to specify a different fully qualified hostname indeed. No other way than edit the .ovpn config - that's what we do here, too.  

 

 


Thanks for your response. Just on this, back on the R7000 I could choose to start the VPN service on the admin console, and simply ignore the "it's advised you have a DDNS host" message, safe in the knowledge I was going to edit the OVPN config and update the dynamic IP it was created with, with my DDNS host from another provider.

 

My issue is that this "warning" now doesn't allow this. It simply refuses to allow the VPN service to be created until you choose a DDNS, which is silly to me. Keep the warning, allow advanced users to ignore it and configure their non-standard DDNS themselves in the subsequent config. 

 

I just wish there was a resolution as everything else about this router is superior to my previous Netgear devices.

Message 4 of 14
schumaku
Guru

Re: 17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000


@Ceepeebee wrote:

My issue is that this "warning" now doesn't allow this. It simply refuses to allow the VPN service to be created until you choose a DDNS, which is silly to me. Keep the warning, allow advanced users to ignore it and configure their non-standard DDNS themselves in the subsequent config. 


I would wish that Netgear would start to listen to their customers (and loyal friends!) and add an option to define a fully qualified host name to users with own DNS or DDNS can put in the OpenVPN remote host name would be filed correct, and there would be no need to touch the device shell and edit OVPN config files. 8-)

Message 5 of 14
Ceepeebee
Tutor

Re: 17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000


@Case850 wrote:

@Ceepeebee  wrote: >>> I just wish there was a resolution as everything else about this router is superior to my previous Netgear devices.

 

Are you serious? The R9000 is expensive, bug riddled and has 802.11ad(which is now dead)....Just read these forums.

 

If you want a reliable VPN then try the EdgeRouter X US$49.

https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server

 

ISP > EdgeRouter X (router mode) > R9000 (AP mode)


I don't want a VPN appliance though - I don't have the need for it over and above the basics that this router SHOULD offer. Everything else works flawlessly for me. 802.11AD is kind of pointless anyway in my setup.

Message 6 of 14
Altsai
NETGEAR Expert

Re: 17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000

Which FW version did you use now? Just upgrade to latest one v1.0.4.2 and reset-to-default to see if the issue can be fixed?

Model: R9000|Nighthawk X10 AD7200 Smart WiFi Router
Message 7 of 14
mingle123
Tutor

Re: 17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000

Maybe the cert is wrong, You can check the cert info and figure out the cert is right or not, that maybe helpful.

 

Message 8 of 14
Ceepeebee
Tutor

Re: 17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000


@mingle123 wrote:

Maybe the cert is wrong, You can check the cert info and figure out the cert is right or not, that maybe helpful.

 


The cert is most definitely incorrect. As I say, every time the router delivers a certificate to be used by OpenVPN, it's already invalid (i.e. only certified until 1901 and as such it's over 100 years expired already!).

 

 

Message 9 of 14
Ceepeebee
Tutor

Re: 17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000


@Altsai wrote:

Which FW version did you use now? Just upgrade to latest one v1.0.4.2 and reset-to-default to see if the issue can be fixed?


I'm on 1.0.4.2 and have been for some months as I had this before it was released to BETA. I've since factory reset and used the downloads section version all to no avail.

 

The certificate created by my router still gets created already expired.

Message 10 of 14
Altsai
NETGEAR Expert

Re: 17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000

after FW upgrade and reset your R9000 to factory default, did you redownload the VPN config files for your devices? If still an issue, I suggest you contact support team for assistant. Thanks.

Model: R9000|Nighthawk X10 AD7200 Smart WiFi Router
Message 11 of 14
schumaku
Guru

Re: 17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000

@Altsai, there must be ways to re-create the https and the OpenVPN certificates - ideally with a button click for each. This factory reset button story is not acceptable for your customers buying routers for several hundred USD. 

Message 12 of 14
Ceepeebee
Tutor

Re: 17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000


@Altsai wrote:

after FW upgrade and reset your R9000 to factory default, did you redownload the VPN config files for your devices? If still an issue, I suggest you contact support team for assistant. Thanks.


I'm assuming you read my admittedly long original post? I've been chatting to support for quite a long time (as the title even mentions). Still nothing....I fear the only recourse is to get a new unit but I'm waiting on a response from my contact for that.

Message 13 of 14
icatt23
Guide

Re: 17 Emails, 6 months, and STILL no valid Certificate to allow VPN on R9000

With regards to the r7000.  It's not dropping wireless connection.  It's the router disconnecting from the internet randomly.  It's been happening for years with no fix.  Should be recalled.  

Message 14 of 14
Top Contributors
Discussion stats
  • 13 replies
  • 1869 views
  • 3 kudos
  • 5 in conversation
Announcements

Orbi WiFi 6E