Reply
Highlighted
Guide

Re: Netgear R7000 and OpenVPN for Android App

@Diggie3wrote:

Thanks everyone for feedback so far. Attached is version 1.0.1. I fixed some typos, added a suggestion to clean up your tftp folder when you're done, and made a note about the OpenVPN version that's most compatible with the document.

 

Some users looking to work through this doc may find that they can avoid Step 1 by visiting this hidden page:

 

http://192.168.1.1/debug.htm

 

If the debug page loads and there is an "Enable Telnet" option then you got lucky. Note that either the debug page or the option to "Enable Telnet" may not exist on your device or firmware version. Remember to check that this option is disabled after you're finished because having telnet enabled is a security risk.


Hi Diggie3,

 

Unfortunately the result for my R6220 is negative.  I completed all the procedures described in your instructions and reboot the router.  After robooting, OpenVPN cannot be connected by using the new certificate but the old certificate still function properly instead.

 

By enabling telnet thru’ “192.168.xx.1/debug.htm” again, I found that all the files under the directory “/tmp/openvpn” have been restored to the originals.  The newly added files “originalkeys.zip” & “newkeys.zip” during the procedures have been removed.

 

It seems R6220 router only stored the files to /tmp/openvpn temporary but have other true location to store the actual certificates.

 

Also, every reboot will clear the setting of “enable telnet”.

 

During the discussion to this post in this week, the router have not been rebooted.  Therefore I have just discovered this fact yesterday.

 

Remark: I have checked the updated files in “/tmp/openvpn” by “cat” command before rebooting”, all the 6 mentioned files should have been updated.

Message 76 of 139
Highlighted
Luminary

Re: Netgear R7000 and OpenVPN for Android App

@katsaw You could try this:

 

cat /proc/mounts

 

Here's some output from the R7000:

 

/dev/mtdblock18 /tmp/openvpn jffs2 rw,relatime 0 0

 

The reason we can update the keys is that /tmp/openvpn is a read-write jffs2 filesystem, which is a compressed, non-volatile file system. That was a smart move on Netgear's part. See if you have something similar. The R7000 also has /tmp/media/nand of this type, but there's no OpenVPN content there on the R7000, and I don't know how safe it would be to modify that one (I haven't tried).

Message 77 of 139
Highlighted
Guide

Re: Netgear R7000 and OpenVPN for Android App


@Diggie3wrote:

@katsaw You could try this:

 

cat /proc/mounts

 

Here's some output from the R7000:

 

/dev/mtdblock18 /tmp/openvpn jffs2 rw,relatime 0 0

 

The reason we can update the keys is that /tmp/openvpn is a read-write jffs2 filesystem, which is a compressed, non-volatile file system. That was a smart move on Netgear's part. See if you have something similar. The R7000 also has /tmp/media/nand of this type, but there's no OpenVPN content there on the R7000, and I don't know how safe it would be to modify that one (I haven't tried).



Thanks for your prompt reply!

 

Here it is:

 

# # cat /proc/mounts

rootfs / rootfs rw 0 0

/dev/root / squashfs ro,relatime 0 0

ramfs /dev ramfs rw,relatime 0 0

proc /proc proc rw,relatime 0 0

none /tmp ramfs rw,relatime 0 0

none /media ramfs rw,relatime 0 0

none /sys sysfs rw,relatime 0 0

none /proc/bus/usb usbfs rw,relatime 0 0

devpts /dev/pts devpts rw,relatime,mode=600 0 0

/dev/sda1 /tmp/mnt/shares/U vfat rw,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp950,iocharset=utf8,shortname=mixed,errors=remount-ro 0 0

#

Message 78 of 139
Highlighted
Luminary

Re: Netgear R7000 and OpenVPN for Android App

A couple of updates:

1- Forum user @pyrmont has created a set of instructions for Linux users. You can read that here:
http://articles.inqk.net/2018/03/02/netgear-openvpn-keys.html

2- @katsaw and I did some more investigation of the R6220 model. The outcome is:

a) I don't think it's possible to update the keys on the R6220 using the same technique as for the R7000. Other methods might exist, but I'm not familiar with them and I have no way to research it.

b) I would recommend R6220 owners disable the OpenVPN server, and if they really need to run a VPN server either to look into third-party firmware or a newer model of router.
Message 79 of 139
Highlighted
Aspirant

Re: Netgear R7000 and OpenVPN for Android App

Awesome post!  Thanks!  Worked flawlessly.  Appreciate you!

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 80 of 139
Highlighted
Apprentice

Re: Netgear R7000 and OpenVPN for Android App

Support says engineering is working on a fix, with no ETA, and wanted to close my support ticket.
I said I didn't feel the ticket could be closed until my problem was fixed.
Model: R7000P|Nighthawk AC2300 Smart WiFi Router with MU-MIMO
Message 81 of 139
Highlighted
Guide

Re: Netgear R7000 and OpenVPN for Android App

The deadline for MD5 to be used in OpenVPN Connect is April 30.

I don’t know if NG can catchup with this schedule or not.

Message 82 of 139
Highlighted

Re: Netgear R7000 and OpenVPN for Android App

I so appreciate the heads up on the MD5 issue.  I used Netgear Nighthawk 7300 (DST) and OpenVPN as part of a solution.  These are auto repair shop owners. I sent customers to Best Buy to purchase this product.   I then used it to replace older routers.

Auto Repair Shops use PC based Mitchell1 Teamworks Manage SE.   Manage SE has embedded MS SQL Server for the datastore.   Additionally they purchase Android based BoltOn Tech Mobile Manager.  The Mobile manager client also uses the MS SQL Server datastore.  All Manage SEs and Mobile Managers must be on the same VLAN to see the MS  SQL Server database.

 

Shop owners asked have implementation one SQL Server database to multiple locations.  OpenVPN and Nighthawk was a perfect solution.  I set this up for them and walked away.  So far no configuration has required further intervention for me.

 

I am very concerned about this looming deadline.   Am I correct in understanding that at some point shortly after 4/30 OpenVPN will update on all these tablets and at that point OpenVPN will not complete connections?

 

These customers don't undestand networks that why I send them to Best Buy to acquire a retail router.

 

They will blame Mitchell1 and BoltOn and me.

 

Has anyone out there purchased product with Best Buy Geek Squad support?   I don't think anyone my customers have current Geek Squad support for this router.   My thinking is that Best Buy is big gorilla in this game.   Perhaps Netgear will give BB/Geek Squad  a clearer answer on the firmware update timeline.   The SKU for 7000/DST is still active.  

 

  

Model: R7300DST|Nighthawk DST—AC1900 DST Router
Message 83 of 139
Highlighted
Luminary

Re: Netgear R7000 and OpenVPN for Android App

In the worst case, you could replace their keys using the steps in this doc from earlier in the thread.

 

Best Buy Geek Squad support.. is that a joke? I doubt they would do more than recommend a different router.

 

 

Message 84 of 139
Highlighted
Aspirant

Re: Netgear R7000 and OpenVPN for Android App

Has anyone received an update from Netgear on whether they’ll correct this issue before the April 30 deadline?
Message 85 of 139
Highlighted
Star

Re: Netgear R7000 and OpenVPN for Android App

NG will most likely declare end of life before they put a fix out. They will string us all along with hopes and promises of a fix and tell us what we want to hear and then quietly quit responding. They did this when they were to add the “Netgear downloader” to the firmware on the R8500.
@ElaineM quit replying after no new firmware was produced. After reading many messages on the community boards, I doubt I’ll ever buy another NG product. For those stuck with non upgradable certificates, you may want to look into setting up a pfsense system and add your own keys.
Message 86 of 139
Highlighted
Guide

Re: Netgear R7000 and OpenVPN for Android App

Many users keep using the firmware by the original manufacturer instead of 3rd party firmware to avoid unforeseeable issues.  Now, the unforeseeable issue come from NG itself!  How come?

Message 87 of 139
Highlighted
Aspirant

Re: Netgear R7000 and OpenVPN for Android App

Hi guys!

 

I've been using VPN service on my R7000 router for years without problems. On Windows computers it is still running. But I'm really angry while I can't make it run on my Android phone for several weeks. I have installed the newest updates on my Android phone and also on my router. I still get the massage "OpenVPN server certificate verification failed". How come such an elementary thing is not working well?! Will ever Netgear fix this?! Or is it somehow fixed? If not I will have to purchase some better product and never ever want to hear of Netgear...

Thanks in advance for answers. Have all a nice day!

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 88 of 139
Highlighted
Guide

Re: Netgear R7000 and OpenVPN for Android App

THANK YOU!!!
   I just went through the instructions and it worked great.    You clearly spent some time on this and I appritiate it.

 

For others out there:  Here are a few notes on my experiene:

  1. Hidden Page for Telnet.I got to the hidden page, but my router (R7000 Nighthawk AC1900)  did not have a button to enable telnet.
      
  2. The process requires Python 2.7.    
    I initially tried using Python 3.x because it was already on my system..... but installing pycrypto did not work till I installed Python 2.7.   (I should have followed the instructions :-\)

  3. IP Address of the router
    The instructions kinda assume the default IP address of the router of 192.168.1.1.   My address range is different but the instructions were clear enough that it was easy to deal with.
      
  4. OpenVPN tools version
    The instructions stress that they are for OpenVPN tools version 2.4.4 and if you used a different version things might look different.    I used version 2.4.5 and saw absolutely no differences.

  5. Step 3.c is optional.   
    I skipped it.

  6. In Step 3.e, tells you to copy 'keys\dh4096.pem'.  
    On my system the file was named keys\dh2048.pem.   This is probably because I skipped step 3.c
Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 89 of 139
Highlighted
Luminary

Re: Netgear R7000 and OpenVPN for Android App

Hi @pthorvald,

 

Indeed an update to OpenVPN has been released. I'll probably end up updating the doc to match it but haven't had time yet -- busy work schedule. I noticed that they say they patched the easy-rsa scripts, which is probably what led to you getting "dh2048.pem".

 

If anyone else is looking for the 2.4.4 installer to match the doc exactly in the meantime, the download is here:

http://build.openvpn.net/downloads/releases/openvpn-install-2.4.4-I601.exe

 

Glad you got your router patched up! Smiley Happy

 

Message 90 of 139
Highlighted
Guide

Re: Netgear R7000 and OpenVPN for Android App

Hi Diggie3,

     Thanks for the quick response!!

> If anyone else is looking for the 2.4.4 installer....... 

I guess I did not scroll down the page far enough to find version 2.4.4 of the OpenVPN stuff....  thanks for publishing the link.    It is bound to help others find the right version.

 

> I noticed that they say they patched the easy-rsa scripts, which is probably what led to you getting "dh2048.pem

Interesting..... it did not even occure to me that the OpenVPN version might have caused the difference.....but it certainly makes sense.

 

Once again,  thankyou for publishing your instructions.   You were able to make the task possible for us mere mortals! 

Message 91 of 139
Highlighted
Aspirant

Re: Netgear R7000 and OpenVPN for Android App

I have been lurking in this thread for the solutions from Netgear's firmware upgrade to solve the MD5 issue. After endless wait for their part and looking like there won't be such a postive outcome. So I took the action with the helpful tutorial from Diggie3 and finally sucessfully setup with the proper SHA256 signed certificates.

 

Here I would like to express my graditude to Diggie3 for setting up such a helpful and details tutorials, eventhough the procedure seems daunting, but with such details in explanations and the many helpful pictures attached. I was in no time come into any difficulty at all. Eventhough it took me quite few hours, and take breaks in between to digest the different stages of the operations Smiley Happy At the end. it all come good with the new OPENVPN server function like before but with the new certificates.

 

Once again I like say as many thanks as i could to Diggie3 for your helps here. I advise those who still are sitting at the fence to wait for Netgear's team for the solution to give it a try.

Message 92 of 139
Highlighted

Re: Netgear R7000 and OpenVPN for Android App

Thanks @Diggie3 for putting together that comprehensive manual!   I haven't tried it yet, though. Smiley Sad   I have a back-up OpenVPN setup on a Raspberry pi if Netgear doesn't follow through by April 30. Not being critical, but just FYI I did notice on Page 15 that although I see a copy command on the screen grab of the screen, it is not listed in the list of commands in the text.

Message 93 of 139
Highlighted
Luminary

Re: Netgear R7000 and OpenVPN for Android App

@stereoptic hey, you're right! I'll put it on the shortlist of things to fix! Appreciate the note!
Message 94 of 139
Highlighted
Aspirant

Re: Netgear R7000 and OpenVPN for Android App

WONDERFUL directions! Thank you. My Nighthawk 7000P now functions as a VPN server. I experienced three changes from your directions.

 

1. Section 3.e.2 - instead of dh4096.pem, my file was named dh2048.pem.

2. Section 7.c

  • My client.ovpn file needed to have one line added to it at the end -- "remote-cert-tls server" (without the quotes). This prevents man-in-the-middle attacks. The OpenVPN 2.4.5 client will not connect without this line added. Since client.ovpn is a protected file, you will need to open notepad in "admin" mode to edit it.
  • Consider adding instructions on how to download the client files to iPhone and android. 

          For iPhone - Connect iphone to PC via charging cable. Open iTunes 12.x. Click on the iPhone icon below the "Controls" icon. Under "Settings," click on "File Sharing." Click on the OpenVPN icon to the right. Select "Add File...". Add ca.crt, client.crt, client.key and client[x].ovpn. Select "Open". Select "Sync". Select "Done".

 

Message 95 of 139
Highlighted
Guide

Re: Netgear R7000 and OpenVPN for Android App


@jrsalamo wrote:

WONDERFUL directions! Thank you. My Nighthawk 7000P now functions as a VPN server. I experienced three changes from your directions.

 

1. Section 3.e.2 - instead of dh4096.pem, my file was named dh2048.pem.

2. Section 7.c

  • My client.ovpn file needed to have one line added to it at the end -- "remote-cert-tls server" (without the quotes). This prevents man-in-the-middle attacks. The OpenVPN 2.4.5 client will not connect without this line added. Since client.ovpn is a protected file, you will need to open notepad in "admin" mode to edit it.
  • Consider adding instructions on how to download the client files to iPhone and android. 

          For iPhone - Connect iphone to PC via charging cable. Open iTunes 12.x. Click on the iPhone icon below the "Controls" icon. Under "Settings," click on "File Sharing." Click on the OpenVPN icon to the right. Select "Add File...". Add ca.crt, client.crt, client.key and client[x].ovpn. Select "Open". Select "Sync". Select "Done".

 


Thanks!

The OpenVPN server of my Tomato router (not NETGEAR) also need the client ovpn file to add the line "remote-cert-tls server" for successful connection.

Message 96 of 139
Highlighted
Guide

Re: Netgear R7000 and OpenVPN for Android App

However it does not appear that the R7000 model has enable the "Telenet" feature on the debug page.  :-(


@NG_Guru wrote:

I can confirm that step 1 can be avoided (R8500) by going to http://192.168.1.1/debug.htm and select "Enable Telnet "

Can anyone else confirm that telnet can be enabled this way ?


 

Message 97 of 139
Highlighted
Guide

Re: Netgear R7000 and OpenVPN for Android App

Has anyone heard from Netgear lately?    The deadline is approaching fast.       

Assuming they do release a fix, it will be interesting to see what they do.
    - What level protection will it provide?

    - Will it break the fix that this thread supples (I would guess it will)

    - How hard will it be to put the keys we developed with this fix back on the router.   (I don't want to have to distribute keys again)

 

I am half tempted to not install new fixes from Netgear..... but there are other security fixes that would be foolish to ignore.

 

Once again my thanks go out to Diggie3 for the fantastic work he did in figuring out a solution and documenting it so well.   

Model: R6700|Nighthawk AC1750 Smart WiFi Router
Message 98 of 139
Highlighted

Re: Netgear R7000 and OpenVPN for Android App

@Diggie3 - Thank you very much for the information provided in the guide.  I was able to follow the steps and update my R7000.  

 

Just wanted to share some information I found during my process in hopes someone else doesn't have to struggle through the frustration I experienced.  

 

I followed all of the steps without issue until I reached step 2b:  Connect to the router.  No matter what I did, I was unable to connect via Telnet.  The step 1h: Enable Telnet, returned the message Sent Telnet enabled payload to '192.168.0.1', it would appear that it was successful but no Telnet connections were accepted. 

 

It took some time to figure it out, but it seems there was an issue with my choice of password and the enable script.  I use a long, complex password to secure my router's admin account.  For kicks I changed it to something short and simple, sent the payload again, and was able to connect via Telnet.  

 

If you use a long and/or complex password for your account, and are unable to connect via Telnet after sending the payload in step 1h, you may consider temporarily changing your password to something simple during this process then resetting it back to your desired choice once complete.

 

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 99 of 139
Highlighted
Aspirant

Re: Netgear R7000 and OpenVPN for Android App

Just followed the excellent guide on my R7000.  However, when I export the certificates from the VPN settings on the router - they are still the old ones.  Which is odd, since they should have been overwritten in the last step (when unzipping newkeys.zip).  Last step appeared succesfully and then rebooted, but even after reboot - still retrieving the old certs from the portal.

 

Message 100 of 139
Top Contributors
Discussion stats
Announcements