Netgear R7000 and OpenVPN for Android App

---

Diggie3wrote:

Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.

 

Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:

 

http://192.168.1.1/debug.htm

 

If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.

---

Thanks for the new update of your instruction guide.

I am so luck that my R6220 router still have the "debug.htm" hidden page and with the "enable telnet" option.

Thanks for answering all my questions in these days.

No matter I can successfully change the VPN key / certificate with your method or not, I will get back to this post to confirm.

Diggie3 - I just followed your 1.0.1 instructions and successfully replaced my keys onto my R7000.  Those instructions were excellent.  Thank you so much for taking the time to do this!

Diggie3wrote:

Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.

 

Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:

 

http://192.168.1.1/debug.htm

 

If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.

---

Hi Diggie3,

Unfortunately the result for my R6220 is negative.  I completed all the procedures described in your instructions and reboot the router.  After robooting, OpenVPN cannot be connected by using the new certificate but the old certificate still function properly instead.

By enabling telnet thru’ “192.168.xx.1/debug.htm” again, I found that all the files under the directory “/tmp/openvpn” have been restored to the originals.  The newly added files “originalkeys.zip” & “newkeys.zip” during the procedures have been removed.

It seems R6220 router only stored the files to /tmp/openvpn temporary but have other true location to store the actual certificates.

Also, every reboot will clear the setting of “enable telnet”.

During the discussion to this post in this week, the router have not been rebooted.  Therefore I have just discovered this fact yesterday.

Remark: I have checked the updated files in “/tmp/openvpn” by “cat” command before rebooting”, all the 6 mentioned files should have been updated.

katsaw You could try this:

cat /proc/mounts

Here's some output from the R7000:

/dev/mtdblock18 /tmp/openvpn jffs2 rw,relatime 0 0

The reason we can update the keys is that /tmp/openvpn is a read-write jffs2 filesystem, which is a compressed, non-volatile file system. That was a smart move on Netgear's part. See if you have something similar. The R7000 also has /tmp/media/nand of this type, but there's no OpenVPN content there on the R7000, and I don't know how safe it would be to modify that one (I haven't tried).

---

Diggie3wrote:

katsaw You could try this:

 

cat /proc/mounts

 

Here's some output from the R7000:

 

/dev/mtdblock18 /tmp/openvpn jffs2 rw,relatime 0 0

 

The reason we can update the keys is that /tmp/openvpn is a read-write jffs2 filesystem, which is a compressed, non-volatile file system. That was a smart move on Netgear's part. See if you have something similar. The R7000 also has /tmp/media/nand of this type, but there's no OpenVPN content there on the R7000, and I don't know how safe it would be to modify that one (I haven't tried).

---

Thanks for your prompt reply!

Here it is:

# # cat /proc/mounts

rootfs / rootfs rw 0 0

/dev/root / squashfs ro,relatime 0 0

ramfs /dev ramfs rw,relatime 0 0

proc /proc proc rw,relatime 0 0

none /tmp ramfs rw,relatime 0 0

none /media ramfs rw,relatime 0 0

none /sys sysfs rw,relatime 0 0

none /proc/bus/usb usbfs rw,relatime 0 0

devpts /dev/pts devpts rw,relatime,mode=600 0 0

/dev/sda1 /tmp/mnt/shares/U vfat rw,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp950,iochars
et=utf8,shortname=mixed,errors=remount-ro 0 0

#

Awesome post!  Thanks!  Worked flawlessly.  Appreciate you!

THANK YOU!!!
   I just went through the instructions and it worked great.    You clearly spent some time on this and I appritiate it.

For others out there:  Here are a few notes on my experiene:

1. Hidden Page for Telnet.I got to the hidden page, but my router (R7000 Nighthawk AC1900)  did not have a button to enable telnet.
     
2. The process requires Python 2.7.    
   I initially tried using Python 3.x because it was already on my system..... but installing pycrypto did not work till I installed Python 2.7.   (I should have followed the instructions :-\)
   
   
3. IP Address of the router
   The instructions kinda assume the default IP address of the router of 192.168.1.1.   My address range is different but the instructions were clear enough that it was easy to deal with.
     
4. OpenVPN tools version
   The instructions stress that they are for OpenVPN tools version 2.4.4 and if you used a different version things might look different.    I used version 2.4.5 and saw absolutely no differences.
   
   
5. Step 3.c is optional.   
   I skipped it.
   
   
6. In Step 3.e, tells you to copy 'keys\dh4096.pem'.  
   On my system the file was named keys\dh2048.pem.   This is probably because I skipped step 3.c

Hi pthorvald,

Indeed an update to OpenVPN has been released. I'll probably end up updating the doc to match it but haven't had time yet -- busy work schedule. I noticed that they say they patched the easy-rsa scripts, which is probably what led to you getting "dh2048.pem".

If anyone else is looking for the 2.4.4 installer to match the doc exactly in the meantime, the download is here:

http://build.openvpn.net/downloads/releases/openvpn-install-2.4.4-I601.exe

Glad you got your router patched up! :)

Hi Diggie3,

     Thanks for the quick response!!

> If anyone else is looking for the 2.4.4 installer....... 

I guess I did not scroll down the page far enough to find version 2.4.4 of the OpenVPN stuff....  thanks for publishing the link.    It is bound to help others find the right version.

> I noticed that they say they patched the easy-rsa scripts, which is probably what led to you getting "dh2048.pem

Interesting..... it did not even occure to me that the OpenVPN version might have caused the difference.....but it certainly makes sense.

Once again,  thankyou for publishing your instructions.   You were able to make the task possible for us mere mortals! 

I have been lurking in this thread for the solutions from Netgear's firmware upgrade to solve the MD5 issue. After endless wait for their part and looking like there won't be such a postive outcome. So I took the action with the helpful tutorial from Diggie3 and finally sucessfully setup with the proper SHA256 signed certificates.

Here I would like to express my graditude to Diggie3 for setting up such a helpful and details tutorials, eventhough the procedure seems daunting, but with such details in explanations and the many helpful pictures attached. I was in no time come into any difficulty at all. Eventhough it took me quite few hours, and take breaks in between to digest the different stages of the operations :) At the end. it all come good with the new OPENVPN server function like before but with the new certificates.

Once again I like say as many thanks as i could to Diggie3 for your helps here. I advise those who still are sitting at the fence to wait for Netgear's team for the solution to give it a try.

Thanks Diggie3 for putting together that comprehensive manual!   I haven't tried it yet, though. :(   I have a back-up OpenVPN setup on a Raspberry pi if Netgear doesn't follow through by April 30. Not being critical, but just FYI I did notice on Page 15 that although I see a copy command on the screen grab of the screen, it is not listed in the list of commands in the text.

WONDERFUL directions! Thank you. My Nighthawk 7000P now functions as a VPN server. I experienced three changes from your directions.

1. Section 3.e.2 - instead of dh4096.pem, my file was named dh2048.pem.

2. Section 7.c

• My client.ovpn file needed to have one line added to it at the end -- "remote-cert-tls server" (without the quotes). This prevents man-in-the-middle attacks. The OpenVPN 2.4.5 client will not connect without this line added. Since client.ovpn is a protected file, you will need to open notepad in "admin" mode to edit it.
• Consider adding instructions on how to download the client files to iPhone and android. 

          For iPhone - Connect iphone to PC via charging cable. Open iTunes 12.x. Click on the iPhone icon below the "Controls" icon. Under "Settings," click on "File Sharing." Click on the OpenVPN icon to the right. Select "Add File...". Add ca.crt, client.crt, client.key and client[x].ovpn. Select "Open". Select "Sync". Select "Done".

---

jrsalamo wrote:

WONDERFUL directions! Thank you. My Nighthawk 7000P now functions as a VPN server. I experienced three changes from your directions.

 

1. Section 3.e.2 - instead of dh4096.pem, my file was named dh2048.pem.

2. Section 7.c

• My client.ovpn file needed to have one line added to it at the end -- "remote-cert-tls server" (without the quotes). This prevents man-in-the-middle attacks. The OpenVPN 2.4.5 client will not connect without this line added. Since client.ovpn is a protected file, you will need to open notepad in "admin" mode to edit it.
• Consider adding instructions on how to download the client files to iPhone and android. 

          For iPhone - Connect iphone to PC via charging cable. Open iTunes 12.x. Click on the iPhone icon below the "Controls" icon. Under "Settings," click on "File Sharing." Click on the OpenVPN icon to the right. Select "Add File...". Add ca.crt, client.crt, client.key and client[x].ovpn. Select "Open". Select "Sync". Select "Done".

 

---

Thanks!

The OpenVPN server of my Tomato router (not NETGEAR) also need the client ovpn file to add the line "remote-cert-tls server" for successful connection.

Diggie3 - Thank you very much for the information provided in the guide.  I was able to follow the steps and update my R7000.  

Just wanted to share some information I found during my process in hopes someone else doesn't have to struggle through the frustration I experienced.  

I followed all of the steps without issue until I reached step 2b:  Connect to the router.  No matter what I did, I was unable to connect via Telnet.  The step 1h: Enable Telnet, returned the message Sent Telnet enabled payload to '192.168.0.1', it would appear that it was successful but no Telnet connections were accepted. 

It took some time to figure it out, but it seems there was an issue with my choice of password and the enable script.  I use a long, complex password to secure my router's admin account.  For kicks I changed it to something short and simple, sent the payload again, and was able to connect via Telnet.  

If you use a long and/or complex password for your account, and are unable to connect via Telnet after sending the payload in step 1h, you may consider temporarily changing your password to something simple during this process then resetting it back to your desired choice once complete.

Just followed the excellent guide on my R7000.  However, when I export the certificates from the VPN settings on the router - they are still the old ones.  Which is odd, since they should have been overwritten in the last step (when unzipping newkeys.zip).  Last step appeared succesfully and then rebooted, but even after reboot - still retrieving the old certs from the portal.

Hey Diggie3 - thanks for responding.

On closer inspection turns out my router is a D7000 not a R7000 (did try to update the thread last night but the storm knocked out my internet connection).

Definitely had the new certs copied over ok, they just get replaced after the reboot.  Guessing the D7000 either needs some extra steps or won't support updating :(

Thanks for the guide anyway - was good fun following :)

Hi Diggie3, great effort and considerate of you to share your knowledge. I read your document and started working through the steps time permitting. I like to share 3 observations so far.

1- At PUTTY step 2b you mention port 22 where in the screen you show 23. Port 23 is also in the result of 1h.

2- Given the long time telnet is enabled if I follow your sequence, why not first calculate the new keys, then enable telnet and so on. Then telnet is not open for that long.

3- The PDf is secured. I understand why. However all information needs to be typed over, including URLs to the software used.

4- Keys now generated. Had to change the paths in VARS.bat to point to the proper %home% and bin path.

Question: when updating the firmware, do I need to redo the change of keys?

Just finished. Instructions worked great and resultcis good, as expected. I did them in the sequence as nitrd in my earlier post. I also had to temparary change my router password, as identified by Someone67387463. 

Firmware V1.0.2.46

Hi, thanks for the excellent guide, it did exactly what was needed, however I am still unable to use openvpn.

Im not 100% sure but I think the router I have (UK) may have some sort of SE linux variant, as once I have completed the guide and reboot the certs all go back to md5 variants.

I have tested this by following the guide to the letter, then rebooting and clicking the windows button to get the config = old md5 certs, following again, then NOT rebooting, and doing the same = new sha256 certs.

I've given up for now, but just wanted to add this to the conversation as either something I didi wrong (dont think so) or that the filesystem may be tamper protected.

Hi Diggie3,

I used you tutorial to update my OpenVPN keys before Netgear released the new firmware. It was really helpful.

I generated my own CA, my own server and client keys. By the way, with your tutorial, I could create a key for each VPN user, so everyone can connect to through VPN at the same time without sharing the same client key (client.crt and client.key files).

In my case, I have one key and my wife has another. Nevertheless, I wonder, if I get one key compromised, what do I do to get it revoked? I know I have to generate a CRL file, but R7000 is capable of reading it? If so, where must I put it to make it work? Is the only solution generating everything again from the very begining (CA, server and client keys)?

Best regards.