NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Netgear R7000 and OpenVPN for Android App
Hi,
since last OpenVPN for Android App update (v.0.6.73) downloadable at the following link:
https://play.google.com/store/apps/details?id=de.blinkt.openvpn
OpenSSL version was upgraded to 1.1 and I cannot connect to my R7000 Router from Outside anymore, because for security reasons OpenSSL v.1.1 doesn't accept MD5 certificates because have a weak signature.
May Netgear upgrade R7000 firmware to create OpenVPN SHA256 certs instead MD5, below the OpenVPN's FAQ with explanations:
http://ics-openvpn.blinkt.de/FAQ.html#weakmd_title
It's a security enhancement that may be helpful to all community that have this fantastic Router.
Router Firmware: 1.0.7.12
Smartphone Model: LG Google Nexus 5X v.7.1.2 with June 5th 2017 patches.
Regards.
Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.
Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:
If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.
138 Replies
Hi,
Running R7000 with the 1.0.8.34 North American firmware, and facing connectivity issues with the latest OpenVPN for Android release - How to generate the OpenVPN SHA256 certifications?
Regards
You cannot enroll SHA256 Certificates by yourself, you need Netgear to update R7000 Firmware and include this enhancement.
I hope Netgear will consider this in next firmware release.
As suggested in above link, if you want to connect again to OpenVPN on R7000 you need to add:
tls-cipher "DEFAULT:@SECLEVEL=0"
in your OpenVPN for Android profile advanced configuration, but you're exposed to MD5 weakness vulnerability.
Hope Netgear will upgrade firmware asap.
Regards.
- OpenVPN says MD5 will stop working in April 2018. See screenshot.
Yup. I encourage you to file a BBB complaint. Need to throw the hammer down on NG or nothing gets down IMO.
BBB complaint? Is that the way to go: https://www.bbb.org/consumer-complaints/file-a-complaint/get-started
Maybe we should all do that?
I agree. This needs to be resolved. i am on firmware V1.0.9.18_1.2.27 and just re-downloaded all my OpenVPN stuff and still get the messages. Frustrating but not as much as it will be in May :-(
Using OpenVPN Connect 1.1.27(build 96)
I dont get any messages with Tunnelblick
- Netgear is using MD5 for the VPN?!
HOLY ****! That's terrible!
Not only this, but we can't even generate new keys on the router still.
Netgear security is a total joke if this is true.NG doesn't give a flying F how many times you call or write about MD5 here. So throw the hammer down and file the BBB complaint.
+1 for this. The main reason I bought an R7000 was becasue I wanted a built-in VPN server feature, but it's been a letdown to find that it's been completely neglected and using outdated security. Was a pain to find a client that would connect, and even that one will be dropping support for MD5 soon, rightfully so.
Netgear, you seem to be pretty reactive to release update for other security issues, please consider that one with the same level of importance.
- ElaineM JamesGL ChristineT can one of you give me thumbs up that it's okay to post the steps to update the keys in a new thread here. I just want to confirm that it wouldn't break the rules to do so.
NG needs to get its s together when cutomers are coming up with a fix. Is the elite tech support incompetent or sitting on their a while we wait and wait for a solution?
BBB closed my case and said that NG responded adequately. They said they are working on a fix but no ETA.
NG update the firmware frequently but not including the encryption of OpenVPN!
I don’t know if they are interested to update the model R6220 which I have since it is not the most popular model in the market unlike R7000.
Hi guys!
I've been using VPN service on my R7000 router for years without problems. On Windows computers it is still running. But I'm really angry while I can't make it run on my Android phone for several weeks. I have installed the newest updates on my Android phone and also on my router. I still get the massage "OpenVPN server certificate verification failed". How come such an elementary thing is not working well?! Will ever Netgear fix this?! Or is it somehow fixed? If not I will have to purchase some better product and never ever want to hear of Netgear...
Thanks in advance for answers. Have all a nice day!
It seems to regenerate certs indeed. After confirming there's a progress bar for a few seconds.Updated profile on phone client and it's happy, works and no more warning.
<<Attention>> A new OpenVPN configuration package for your router is available that enhances your router's security. You must update the OpenVPN configuration package for your router. Once the OpenVPN configuration package is updated, you must update the OpenVPN configuration package on all your clients; otherwise, your clients won't be able to access your router using the VPN feature.
I downloaded the new firmware (you need to download the file as the router does not find this new beta firmware) and re-created new keys. OpenVPN is working fine on my android. Also, the upgrade did not seem to change any settings that I am aware of.
Can you tell me what the exact firmware update file name or version # that you used?
Thank You
It's in my post #110 above:
https://kb.netgear.com/000057097/R7000-Firmware-Version-1-0-9-30-Hot-Fix
- Nothing for my R7000P, yet.
Ironically, I got the P because the web wisdom was that it supported Android VPN, and the non-P did not.- Update from NETGEAR:
Hi Clarence,
This is a follow up on the case. Our engineering team are still working on a fix and it will be before the OpenVPN officially drops support for it.
=========================
Well, it's past April, and my Android still works, so this could just mean that OpenVPN has decided to let Netgear continue to connect.
The pop-up went away, but the message is still in the log "end of April".
I haven't tried the new firmware since I used Diggie3's excellent instructions to install my own certs (and I'm afraid that the new firmware could break things).
FYI: As an alternative, I just re-purposed an old RaspberryPi 2b to test as a VPN server using http://www.pivpn.io. It literally took 15 minutes to set up from scratch. My clients connect to this RbPi VPN in 1 second compared to the 5-10 sec it took to connect to the R7000 VPN. By default, connecting to this PiVPN server will route all traffic to your RbPi. If you want only certain traffic routed over this VPN, then you could add these lines to your client config (.ovpn) files [where xxx is the IP address on your LAN that you want to access]:
route-nopull route xxx 255.255.255.255 vpn_gateway
