Reply

Re: Nighthawk r7500 vpn setup

Retired_Member
Not applicable

Nighthawk r7500 vpn setup

I'm new to VPN but learn quickly. I'm trying to setup VPN on my router for a layer of security for my home. I am getting error messeges with openVPN. Following the instructions on the router, many forums, and the OpenVPN resources, I am not able to get this working. I receive this error "warning: no server certificate verification method has been enabled. see http://openvpn.net/howto.html#mitm for more info." can someone please assist? Perhaps have a walk through other than what's just on the router? Thank you in advance.
Model: R7500|Nighthawk X4 AC2350 Smart WiFi Router,R7500v2|Nighthawk X4 AC2350 Smart WiFi
Message 1 of 11

Accepted Solutions
Retired_Member
Not applicable

Re: Nighthawk r7500 vpn setup

After reading a LOT of information I decided to sell my R7500 and buy a R7000P  I flashed it with DD-WRT and was done in about an hour...  Super easy.  I'm not sure why Netgear does not have more functionality built in the standard interface.  Thank you all for the replies.

View solution in original post

Model: R7500|Nighthawk X4 AC2350 Smart WiFi Router
Message 5 of 11

All Replies
bripab007
Tutor

Re: Nighthawk r7500 vpn setup

We probably need a bit more info to really help you, but I've set up the VPN server on both the 7000 and 7500 routers, using both stock Netgear firmware as well as Tomato and DD-WRT 3rd-party firmwares. Netgear makes it fairly easy in the stock firmware, especially if you're just using a mobile device/smartphone. So what is the client device, do you already have a dynamic DNS provider for your ISP's internet connection (Netgear has the stock one I think serviced by No IP so you can choose a subdomain in the "mynetgear.com" DNS zone).

 

In Advanced > Advanced Setup > VPN Service > Enable VPN Service, I choose UDP for both TUN and TAP modes using the default ports 12973 and 12974, and I choose to forward all sites on internet *and* LAN through the VPN for maximum privacy when using the VPN on a public wi-fi AP.

 

Once those settings are applied, click the "For Smart Phone" button to download the OpenVPN (.ovpn) file--if you're on your phone already, just save this somewhere (locally, cloud storage, etc.) for access momentarily, & if you're on a desktop computer, you'll need to save it and then transfer it to your phone by whatever means necessary.

 

Next, install the OpenVPN app on your mobile device, after which you'll copy or import that .ovpn file on the phone into the OpenVPN mobile app. In iOS, this can be done through the shart sheet menu, selecing copy to OpenVPN--for example, if the .ovpn file is in Dropbox, select it and select share extension > copy to OpenVPN. OpenVPN app should ask you to confirm the import by hitting a green plus button, if my memory serves. Once imported, you can test it by tapping the toggle in the app to connect to the VPN. At this point, the VPN profile will have also been adding into your Settings app under the VPN section, so you can toggle it on/off there OR from the OpenVPN app.

 

Doing this on a desktop OS is roughly similar.

Message 2 of 11
Retired_Member
Not applicable

Re: Nighthawk r7500 vpn setup

I am setting this up on a PC connected to the router in hopes to have the entire network using the VPN tunnel.  I am on Win 10 and have performed these steps to a tee:

 

Step 1: Select the Enable VPN Service check box and click the Apply button.
Step 2: Download the client utility from http://openvpn.net/index.php/download/community-downloads.html and install it on the devices where you want to run the VPN client.
Currently IOS and Android clients are not supported.
Step 3:
Click the proper button below to download the configuration files for your VPN clients.
For Windows For non-Windows
Step 4: Unzip the configuration files you have just downloaded and copy them to the folder where the VPN client is installed on your devices. For a client device with Windows 64-bit system, the VPN client is installed at "C:\Program files\OpenVPN\config" by default.
Step 5: For a client device with Windows, you need to modify the VPN interface name to "NETGEAR-VPN". The VPN interface usually has a Device Name as "TAP-Windows Adapter".
Step 6: Client utility must be installed and run by a user who has administrative privileges.

Step 7: For help connecting using OpenVPN clients, please refer to http://openvpn.net/index.php/open-source/documentation/howto.html#quick
Note: if you want to make any change in Advanced Configurations section, please make the changes before you download the configuration files in Step 3.

Advanced Configurations
Service Type UDP TCP
Service Port
12974
Clients will use this VPN connection to access _Auto _X_ All sites on the Internet & Home _Network Home Network only

 

At this point I have the following installed in the OpenVPN config dir:

ca.crt

client.crt

client.key

client.ovpn

 

I run the gui interface with admin privs and get this message every time:

Mon Nov 06 22:45:30 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

 

I am just trying to set this up as a client letting the server do it's thing.  What am I missing here?

 

 

 

 

Model: R7500|Nighthawk X4 AC2350 Smart WiFi Router
Message 3 of 11
bripab007
Tutor

Re: Nighthawk r7500 vpn setup

I believe the Windows VPN client needs to be TAP, so you have the VPN server set to TAP on the router, right?

 

Searching that error seems to bring up a host of different problems/suggestions on the web.

 

One thing you could try is using a consolidated .ovpn file that contains all the necessary certificates embedded inline in the body. I've had good luck with those, rather than the separate client, server, certificat authority, key, etc. cert files. http://permalink.gmane.org/gmane.network.openvpn.user/32469

Message 4 of 11
Retired_Member
Not applicable

Re: Nighthawk r7500 vpn setup

After reading a LOT of information I decided to sell my R7500 and buy a R7000P  I flashed it with DD-WRT and was done in about an hour...  Super easy.  I'm not sure why Netgear does not have more functionality built in the standard interface.  Thank you all for the replies.

Model: R7500|Nighthawk X4 AC2350 Smart WiFi Router
Message 5 of 11
bripab007
Tutor

Re: Nighthawk r7500 vpn setup

That's funny you mention that--I had a 7000 running stock Netgear FW and had no problem setting up and using its VPN server either. Since getting my 7500, I set up the primary VPN on that, then flashed DD-WRT on my 7000 to use it as a wireless repeater bridge and set up a secondary VPN on that.

 

While the VPN was relatively easy to get working on DD-WRT initially, I found it was not redirecting web traffic through the VPN. I had to do a bit of research and mucking around to get it to redirect all traffic (both LAN and WAN) through the VPN, unlike Netgear's implementation that just worked. So you might want to make sure your web traffic is going through the VPN properly.

Message 6 of 11
Retired_Member
Not applicable

Re: Nighthawk r7500 vpn setup

Good info, I'll check into that.
Message 7 of 11
ClarDold
Apprentice

Re: Nighthawk r7500 vpn setup

I just bought a Netgear R7000P (Firmware Version V1.2.0.22_1.0.78) to replace an Asus RT­N56U.

That router never had good wifi range, and after two years, the 5GHz connection would just die, and I needed to reboot regularly.

But, the VPN seemed better to me than the OpenVPN on the R7000.

 

On the R7000, it seems that port 80 is open to the world as soon as you enable VPN.  I don't like that.

On the R7000, there is only one login, admin?  Is that correct?

On my Asus, I had separate long user names and passwords for each VPN user.

I don't understand having every user log in as admin, and therefore allowing every VPN user full admin access.

 

Can I control what IP addresses or subnets can access port 80?

If I deliver the "smartphone.zip" file via some method, does port 80 have to be used at all?  

If I deliver the zip file, do they ever need the admin login?

 

I think I only need TUN, but I see no way to disable TAP.    

I will be using primarily an iPad into my VPN, often an Android phone, occasionally Windows and Mac.

 

Model: R7000P|Nighthawk AC2300 Smart WiFi Router with MU-MIMO
Message 8 of 11
bripab007
Tutor

Re: Nighthawk r7500 vpn setup

I'm not sure what you mean by port 80 being open to the world when you enabled the VPN server. When it's enabled, it'll listen on port 12974--if memory serves--for incoming VPN client connections. I also am not quite sure what you mean by one admin login for the VPN. Your old Asus router likely used an older PPTP VPN server with simplistic un/pw combos as the only method for logging in. The OpenVPN server on the Netgear routers uses client certificate chains (i.e. the .ovpn file you download from the GUI after turning it on). Yes, the Netgear implementation only lets you create a single .ovpn file, and thus, only a single discrete client, but you can connect I think up to two or four VPN clients with that cert on the R7000 (I think the R7500 supports four or eight??). Again, I'm not sure what you mean by VPN user having full admin access--the point of the VPN is to get a remote client onto your LAN, nothing to do with admin permissions. I think most mobile clients use TUN and desktop OS clients like Windows use TAP.

Message 9 of 11
ClarDold
Apprentice

Re: Nighthawk r7500 vpn setup

@bripab007 wrote:

I'm not sure what you mean by port 80 being open to the world when you enabled the VPN server. 

 

I was conflating OpenVPN with the Netgear implementation.
I have a Linux OpenVPN server, and connecting to it on with a standard browser on port 943 (not 80) provides a way for a new client to download config files and continue with their OpenVPN.  This is protected by a simple user/password login, but multiple possiblities.

I had confused that with the Netgear, where port 80 is only open on the LAN, not the WAN, but provides a path to the config downloads.  The login here is a password, and user admin.
(nmap from the LAN to the public IP address showed the same results as a scan to the internal Private IP, which is misleading, but I see that is not uncommon amongst routers.  I don't think that happened on the Asus, but I could be mistaken.)

 

So, Public ports are not the problem that I thought they were.   I need to supply my users with the .ovpn and associated files, because one needs to log in on the local LAN as admin in order to fetch them.

I have been able to connect Android OpenVPN client to both my OpenVPN server and to the R7000P.

I can connect Windows 10 to the OpenVPN server, but I cannot connect to the R7000P.

It fails with errors that the #mitm suggests are server side problems, but my Android connects okay.

  Wed Nov 29 13:35:16 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
  Wed Nov 29 13:35:19 2017 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
  Wed Nov 29 13:35:19 2017 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.1.2.0
  Wed Nov 29 13:35:19 2017 TAP-Windows adapter 'NETGEAR-VPN' not found

 

Model: R7000P|Nighthawk AC2300 Smart WiFi Router with MU-MIMO
Message 10 of 11
ClarDold
Apprentice

Re: Nighthawk r7500 vpn setup


@ClarDold wrote:

I can connect Android, but not Windows 10 to the R7000P VPN.


  Wed Nov 29 13:35:16 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
  Wed Nov 29 13:35:19 2017 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
  Wed Nov 29 13:35:19 2017 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.1.2.0
  Wed Nov 29 13:35:19 2017 TAP-Windows adapter 'NETGEAR-VPN' not found

 


Only that last line matters.

The certificate verification WARNING appears repeatedly in the log, but seems to have no effect.  The ROUTE message, no effect.

 

The instructions say: "Step 5: For a client device with Windows, you need to modify the VPN interface name to "NETGEAR-VPN". The VPN interface usually has a Device Name as "TAP-Windows Adapter"."
I had one named "Ethernet #2", but i noticed in small print that it said "TAP-Windows Adapter V9"

I couldn't change the bottom line of that description, but I could change the name, to "NETGEAR-VPN".
Now Windows VPN connection to the R7000P works.
see the attached screenshot of what my Network Connections panel looks like (VPN not connected right now.)

Model: R7000P|Nighthawk AC2300 Smart WiFi Router with MU-MIMO
Message 11 of 11
Top Contributors
Discussion stats
  • 10 replies
  • 19001 views
  • 4 kudos
  • 3 in conversation
Announcements

Orbi WiFi 6E