- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
I need to have a solution up and running for the next month(s). My backup plan was the VPN service in Apple's Server.app. Apple killed VPN services last week in the update of server.app.
What are the options? OpenVPN as a server exists on MacOS? OpenVPN on a raspberry PI?
Or another router? Which routers run OpenVPN?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
Aha overlooked that pdf file. I'll powerup my Windows notebook and give it a try.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
This is brutal that users have to telnet in to manually re issue and configure it. It's such a simple dev feature --- and netgear cant fix it? For a network connectivity provider you think they would take security more seriously and upgrade the crypto from an algorithm (MD5) that was severly compromised over a half a decade ago.
What is taking so long?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
The solution we've described does the computational work on your PC which is what makes it feasible. Netgear could just send you pre-calculated keys but that'd be less secure since they'd have a copy of them and they could be intercepted in transit.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
Fair enough, appreciate the work put into the guide
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
@pyrmontwrote:
I'll be the first to criticise Netgear for how slowly they're moving but I think the difficulty, explained by Diggie3, is that the router has a very weak CPU and calculating the new cryptographic keys is computationally very difficult.
Considering Netgear does maintain Netgear Genie software for Windows and macOS - integrating this process there would be a possible option. In either case, Netgear would do good migrating to EC (Elliptic Curve) for OpenVPN and https access - the CPU load would be lowered masively.
@pyrmont wrote:
The solution we've described does the computational work on your PC which is what makes it feasible. Netgear could just send you pre-calculated keys but that'd be less secure since they'd have a copy of them and they could be intercepted in transit.
I fear Netgear will "just" update some code and continue to integrate a certificate (with a shared private key - what a joke) signed by a trusted CA for the ubiquitous domains.
A feasible choice would be to migrate to support Let's Encrypt and it's automated RA processes.
Let's see what they will implement - the next weeks will tell. None of my related emails sent to Netgear key people was answered (except by the R9000/R8900 project engineer).
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
@martijn76wrote:Hasn't this been solved by the latest 1.0.2.46 firmware? Haven't installed it yet, but the changelog does say:
New Features and Enhancements: Supports the VPN client feature.And this would suggest a fix in the VPN department.
This "VPN Client" is a new feature for your router model: It does allow to initialise a VPN connection from the router ie. to your office or to a hide-my-a** VPN server.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
However, if I was in the web interface and it said, "Are you sure you want to continue? Generating new certificates and parameters could take up to an hour and router performance may be slower during that time", I would be fine with it. Who wouldn't rather do that than pull out a laptop and do it all manually? Just run it before bed.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
I'm not a VPN expert. I've always updated software to makesure that I get the latest features and security protection in my software apps. OpenVPN software has been updated for both servers and clients since I installed it on the IOS and windows clients. I'm currently using at least a year old version of Openvpn client software on my IOS and Windows 10 devices through the R7000 Openvpn tunnel. I am also getting the MD5 certificate warning on my IOS devices. It would appear to me that an upgrade is needed to the VPN server software hosted by the R7000 and also updates to the apps running in the IOS devices. Am I correct?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
@Diggie3wrote:
The server is fine it just needs new certificates.
...when leaving alone the outdated OpenSSL used, the also outdated OpenVPN server, probably yes. And this might require change some OpenVPN config controls, too.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
Received an email from Netgear security: We've improved your security. Download the latest firmware to stay up-to-date. Use the Nighthawk App (formerly NETGEAR Up) to update your firmware.
No new firmware for the R7000. Fingers crossed.
To prepare for a VPN meltdown on may 1st, I installed PiVPN on an old Pi3. Peace of cake.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
This was a joke right? Netgear sent me an email to say there is a new firmware when all it was is just to get me to install their stupid iOS Nighthawk app. There is no new firmware yet for R6900.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
This is a joke right? Netgear sent me an email to say there is a new firmware when all it was is just to get me to install their stupid iOS Nighthawk app. There is no new firmware yet for R6900.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
@Repiuk wrote:I need to have a solution up and running for the next month(s). My backup plan was the VPN service in Apple's Server.app. Apple killed VPN services last week in the update of server.app.
What are the options? OpenVPN as a server exists on MacOS? OpenVPN on a raspberry PI?
Or another router? Which routers run OpenVPN?
Where did you see that Apple removed VPN services from the server app? I installed that update and definitely still have VPN services enabled and working. However, I did notice that a lot of the services are now hidden in the main app, but you can still access them by clicking on the "View" option in the menu bar.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
@Repiuk wrote:I need to have a solution up and running for the next month(s). My backup plan was the VPN service in Apple's Server.app. Apple killed VPN services last week in the update of server.app.
Living in a totalitarian regime which forced Apple to remove it from the regional store? AFAIK this happened in China last summer already.
Netgear promised (at least) some signs of a coming-up solution, with the ability to get early access -> https://community.netgear.com/t5/Nighthawk-WiFi-Routers/R8000-VPN-and-dropping-of-MD5-signed-certifi...
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
Where did you see that Apple removed VPN services from the server app? I installed that update and definitely still have VPN services enabled and working. However, I did notice that a lot of the services are now hidden in the main app, but you can still access them by clicking on the "View" option in the menu bar.
Or another router? Which routers run OpenVPN?
I had VPN switched Off during the update and now it's hidden, I didn't check the View menu. I found it!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
Netgear, please hurry!
Don't push your users to modify their devices on the last day of the presence of MD5-support. You know for a long time that a solution must be given to your users! Why taking so long?
Most people who are abroad can't reach their router without a VPN.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: MD5-Signed Certificate Warning with OpenVPN on iOS
Unacceptable!
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more