Solved: Netgear R7000 and OpenVPN for Android App

Morganino · ‎2017-06-26

Hi,

since last OpenVPN for Android App update (v.0.6.73) downloadable at the following link:

https://play.google.com/store/apps/details?id=de.blinkt.openvpn

OpenSSL version was upgraded to 1.1 and I cannot connect to my R7000 Router from Outside anymore, because for security reasons OpenSSL v.1.1 doesn't accept MD5 certificates because have a weak signature.

May Netgear upgrade R7000 firmware to create OpenVPN SHA256 certs instead MD5, below the OpenVPN's FAQ with explanations:

http://ics-openvpn.blinkt.de/FAQ.html#weakmd_title

It's a security enhancement that may be helpful to all community that have this fantastic Router.

Router Firmware: 1.0.7.12

Smartphone Model: LG Google Nexus 5X v.7.1.2 with June 5th 2017 patches.

Regards.

Diggie3 · ‎2018-02-28

Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.

Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:

http://192.168.1.1/debug.htm

If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.

View solution in original post

agil · ‎2017-06-27

Hi,

Running R7000 with the 1.0.8.34 North American firmware, and facing connectivity issues with the latest OpenVPN for Android release - How to generate the OpenVPN SHA256 certifications?

Regards

Morganino · ‎2017-06-27

You cannot enroll SHA256 Certificates by yourself, you need Netgear to update R7000 Firmware and include this enhancement.

I hope Netgear will consider this in next firmware release.

Morganino · ‎2017-06-28

As suggested in above link, if you want to connect again to OpenVPN on R7000 you need to add:

tls-cipher "DEFAULT:@SECLEVEL=0"

in your OpenVPN for Android profile advanced configuration, but you're exposed to MD5 weakness vulnerability.

Hope Netgear will upgrade firmware asap.

Regards.

agil · ‎2017-06-28

Thanks. That did the trick. OpenVPN for Android can connect now. Joining the request to Netgear to release a firmware upgrade, removing the MD5 weakness.

Regards,

schumi2004 · ‎2017-07-17

Adding that line to configuration makes it work again but at the end the current VPN implementation from Netgear is not safe and they should upgrade asap.

GearNetRouter · ‎2017-07-18

Can Netgear get its s h i t together and fix the firmware? Why is NG not proactive enough to fix this in advance? WTF?

karl11 · ‎2017-11-05

I'd like to use OpenVPN on my R6900 too, but MD5 keys are just reckless these days. Netgear needs to fix this.

96708 · ‎2017-11-06

Any update to this BS?

@karl11 wrote:
I'd like to use OpenVPN on my R6900 too, but MD5 keys are just reckless these days. Netgear needs to fix this.

kuser · ‎2017-12-14

It is embarrassing and roughly negligent that NG still uses md5 these days.

Netgear has to upgrade its Firmware to SHA256 or better or may face charges in case of damages (Due diligence/state of the art).

ClarDold · ‎2017-12-20

OpenVPN says MD5 will stop working in April 2018. See screenshot.

96708 · ‎2017-12-21

Yup. I encourage you to file a BBB complaint. Need to throw the hammer down on NG or nothing gets down IMO.

kuser · ‎2017-12-22

BBB complaint? Is that the way to go: https://www.bbb.org/consumer-complaints/file-a-complaint/get-started

Maybe we should all do that?

CyBuzz · ‎2017-12-28

I agree. This needs to be resolved. i am on firmware V1.0.9.18_1.2.27 and just re-downloaded all my OpenVPN stuff and still get the messages. Frustrating but not as much as it will be in May :-(

Using OpenVPN Connect 1.1.27(build 96)

I dont get any messages with Tunnelblick

Diggie3 · ‎2017-12-28

Netgear is using MD5 for the VPN?!

HOLY ****! That's terrible!

Not only this, but we can't even generate new keys on the router still.

Netgear security is a total joke if this is true.

96708 · ‎2017-12-28

NG doesn't give a flying F how many times you call or write about MD5 here. So throw the hammer down and file the BBB complaint.

CyBuzz · ‎2017-12-28

BBB Complaint filed.

96708 · ‎2017-12-29

Good for you. I filed one as well. Keep the pressure on. I consider this a simple napalm flyover spayobver on them to light them on fire so to speak. The sum all fears nuclear option is still available and that would be initiating the help of cybersecurity firms. Only with broad exposure in the news -- and damage to the image of the brand along with lost sales -- will they really do anything IMO.

Diggie3 · ‎2017-12-31

After spending a day or so, I have managed to replace the VPN certificates and keys on the R7000 and verified it's working using OpenVPN Client app for Android. Also verified the old, replaced keys are dead.

I can try to post a tutorial but it will take some time and will be quite long just because of the number of tools involved. I also can only post a Windows guide but it should be possible from any platform.

Anyway: My point is it's possible, but it definitely isn't easy.

Diggie3 · ‎2017-12-31

Also, if NG engineering is reading, I would say not only md5 signature but also size of the keys and DH param size are really not acceptable. Probably this has been optimized to minimize key generation time per unit, but I think this has to be improved.

juched · ‎2017-12-31

Please do post steps. I played with ASUS Merlin Voetex for my R7000 and liked it a lot. Cpu usage very low and I can control the VPN certificate directly. Just wanted to use circle.

At this point I am planning to buy a real circle and get off the offical netgear firmware.

But, it would be good to know how to change it if I wanted to.

ClarDold · ‎2017-12-31

I won't enjoy some pointers.
I don't need detailed steps. I might not want lots of hacking.
I have done things like mounting iso images for modification and such, using Linux tools.

If you message me directly, we could chat about how difficult it seems. I have done formal documentation.

If there's no update from Netgear, I might look to DD-WRT.

Diggie3 · ‎2018-01-01

I have asked one of the moderators if it's okay to make a new post with steps, since I don't know if such things are allowed. I hope I get a thumbs up, since this will help people solve the problem themselves at least in the short term. When I hear back I'll follow up.

BTW, I did manage to get SHA256 certs working, and surviving reboot and firmware changes, so that's good news. Also, larger key sizes and DH params work too.

Kilrah · ‎2018-01-02

+1 for this. The main reason I bought an R7000 was becasue I wanted a built-in VPN server feature, but it's been a letdown to find that it's been completely neglected and using outdated security. Was a pain to find a client that would connect, and even that one will be dropping support for MD5 soon, rightfully so.

Netgear, you seem to be pretty reactive to release update for other security issues, please consider that one with the same level of importance.

Diggie3 · ‎2018-01-02

@ElaineM @JamesGL @ChristineT can one of you give me thumbs up that it's okay to post the steps to update the keys in a new thread here. I just want to confirm that it wouldn't break the rules to do so.

Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Netgear has to upgrade to SHA256 or will face charges/damages (Due diligence/state of the art)

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Netgear has to upgrade to SHA256 or will face charges/damages (Due diligence/state of the art)

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App

Re: Netgear R7000 and OpenVPN for Android App