This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
OpenSSL version was upgraded to 1.1 and I cannot connect to my R7000 Router from Outside anymore, because for security reasons OpenSSL v.1.1 doesn't accept MD5 certificates because have a weak signature.
May Netgear upgrade R7000 firmware to create OpenVPN SHA256 certs instead MD5, below the OpenVPN's FAQ with explanations:
Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.
Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:
If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.
Running R7000 with the 1.0.8.34 North American firmware, and facing connectivity issues with the latest OpenVPN for Android release - How to generate the OpenVPN SHA256 certifications?
Thanks. That did the trick. OpenVPN for Android can connect now. Joining the request to Netgear to release a firmware upgrade, removing the MD5 weakness.
Adding that line to configuration makes it work again but at the end the current VPN implementation from Netgear is not safe and they should upgrade asap.
I agree. This needs to be resolved. i am on firmware V1.0.9.18_1.2.27 and just re-downloaded all my OpenVPN stuff and still get the messages. Frustrating but not as much as it will be in May :-(
Good for you. I filed one as well. Keep the pressure on. I consider this a simple napalm flyover spayobver on them to light them on fire so to speak. The sum all fears nuclear option is still available and that would be initiating the help of cybersecurity firms. Only with broad exposure in the news -- and damage to the image of the brand along with lost sales -- will they really do anything IMO.
After spending a day or so, I have managed to replace the VPN certificates and keys on the R7000 and verified it's working using OpenVPN Client app for Android. Also verified the old, replaced keys are dead.
I can try to post a tutorial but it will take some time and will be quite long just because of the number of tools involved. I also can only post a Windows guide but it should be possible from any platform.
Anyway: My point is it's possible, but it definitely isn't easy.
Also, if NG engineering is reading, I would say not only md5 signature but also size of the keys and DH param size are really not acceptable. Probably this has been optimized to minimize key generation time per unit, but I think this has to be improved.
Please do post steps. I played with ASUS Merlin Voetex for my R7000 and liked it a lot. Cpu usage very low and I can control the VPN certificate directly. Just wanted to use circle.
At this point I am planning to buy a real circle and get off the offical netgear firmware.
But, it would be good to know how to change it if I wanted to.
I won't enjoy some pointers. I don't need detailed steps. I might not want lots of hacking. I have done things like mounting iso images for modification and such, using Linux tools.
If you message me directly, we could chat about how difficult it seems. I have done formal documentation.
If there's no update from Netgear, I might look to DD-WRT.
Model: R7000P|Nighthawk AC2300 Smart WiFi Router with MU-MIMO
I have asked one of the moderators if it's okay to make a new post with steps, since I don't know if such things are allowed. I hope I get a thumbs up, since this will help people solve the problem themselves at least in the short term. When I hear back I'll follow up.
BTW, I did manage to get SHA256 certs working, and surviving reboot and firmware changes, so that's good news. Also, larger key sizes and DH params work too.
+1 for this. The main reason I bought an R7000 was becasue I wanted a built-in VPN server feature, but it's been a letdown to find that it's been completely neglected and using outdated security. Was a pain to find a client that would connect, and even that one will be dropping support for MD5 soon, rightfully so.
Netgear, you seem to be pretty reactive to release update for other security issues, please consider that one with the same level of importance.
Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
@ElaineM@JamesGL@ChristineT can one of you give me thumbs up that it's okay to post the steps to update the keys in a new thread here. I just want to confirm that it wouldn't break the rules to do so.
