Reply

Re: OpenVPN broken with latest firmware and client versions

bennyfrank
Guide

OpenVPN broken with latest firmware and client versions

I recently upgraded an R7800 to firmware version 1.0.2.46 and installed the latest version of OpenVPN client 2.4.5-1601 on a Windows 10 laptop. This broke OpenVPN with the following logged messages:

 

Enter Management Password:

Fri Mar 30 03:50:58 2018 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Fri Mar 30 03:50:58 2018 OpenSSL: error:140AB18ESmiley FrustratedSL routinesSmiley FrustratedSL_CTX_use_certificate:ca md too weak

Fri Mar 30 03:50:58 2018 Cannot load certificate file client.crt

 

I double-checked my setup procedures -- generated new config files after the firmware upgrade and installed them on my client and changed the TAP network adapter name to NETGEAR-VPN.  I tried Administrator and normal user mode to no avail. I've also reverted to OpenVPN clients 2.4.4-1601 and 2.3.12-1602. Both previously worked with older Netgear firmware but would not connect with the latest firmware on the R7800:

 

WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

 

Is this a confirmed bug and what is the status of the fix?

Model: R7800|Nighthawk X4S AC2600 WiFi Router
Message 1 of 15
Ravepants
Aspirant

Re: OpenVPN broken with latest firmware and client versions

I am having the same issue with my Nighthawk X4S R7800.

I beleive the OpenSSL: error:140AB18ESmiley FrustratedSL routinesSmiley FrustratedSL_CTX_use_certificate:ca md too weak is to do with the certificates cipher being too weak, and since these are generated by the router there isn't much that can be done as there is no control over how they are generated and with which strenth/cipher.

 

I think it may be possible to regeneate the PKI with easyrsa but i dont know ohw to do this.

 

Some input from Netgear would be appreciated please.

Message 2 of 15
JamesGL
Master

Re: OpenVPN broken with latest firmware and client versions

Message 3 of 15
JamesGL
Master

Re: OpenVPN broken with latest firmware and client versions

Hi All,

 

We’d greatly appreciate hearing your feedback letting us know if you need further assistance.

Message 4 of 15
Ravepants
Aspirant

Re: OpenVPN broken with latest firmware and client versions

Hi James,

I am unable to connect to the vpn after the 1.0.2.52 firmware update.
The certificates are now valid as I have checked them and they are sha256, however the vpn client does not connect to the router on my pc or android clients after downloading the new profiles. I even tried it with a fresh os install on another machine.
I port scanned the router with the vpn active and the scanner reported that the vpn port was closed.
I have tried connecting internally and externally of the network.
Message 5 of 15
bennyfrank
Guide

Re: OpenVPN broken with latest firmware and client versions

1) Did not fix broken OpenVPN service. Fails to connect using latest (2.4.6) and older versions of OpenVPN client.  Just hangs with "connecting ..." message. 

2) Broke uPnP -- could not connect to a LAN device that employs uPnP. 

3) Lost custom names of connected LAN devices

 

Reverted to version 1.0.2.44 and all the above worked correctly. I did not perform a full reset with .52 or reversion to .44, but did a cold restart with both. Reconfigured OpenVPN client with both installs. I have a lot of custom port forwarding and other entries, which I would rather not manually re-enter until the newest firmware is reported clean and stable. 

Model: R7800|Nighthawk X4S AC2600 WiFi Router
Message 6 of 15
JZ_SmartMort
Guide

Re: OpenVPN broken with latest firmware and client versions

What a crappy thing to do to customers... pathetic QA. How in the world do you finally upgrade an over 3 year old OpenVPN, then don't even test it right after that upgrade. Meaning set it OpenVPN like a client would with .44 of the firmware and make sure it works then upgrade to .46 or newer .52 --- and guess what, broken VPN with resets and re-connect attempts. Please get some decent quality assurance behind your products and thanks for breaking my stuff just as expected. Thankfully I know better and backed up before the mess. I'm now perpetually stuck on .44 firmware given the lack of accountability on this post and a few other posts acknowledging with the same complaint. Hoping this will get some attention but I'm guessing we won't see it.

 

I'm not willing to reset my device to scratch in order to test (too many port mappings & static IP assignments, etc.). However, for folks willing to take a full reset of the device on .46 or .52 of the firmware, try to set up OpenVPN right after that. My guess is that old config is still lingering around and not property re-generated upon installing .46 or .52. Maybe with a full reset and re-gen of the config, you'll have a functional VPN with .52... of course that doesn't help most folks with overly configured routers.

Message 7 of 15
mfifield01
Tutor

Re: OpenVPN broken with latest firmware and client versions

I'm having the same issue with .52. I thought it was something I was doing wrong, but it looks like it's a firmware issue. 

Message 8 of 15
mfifield01
Tutor

Re: OpenVPN broken with latest firmware and client versions

Is .44 the only way to get OpenVPN functionality? It would be nice to have a feature that I paid for.

Message 9 of 15
mfifield01
Tutor

Re: OpenVPN broken with latest firmware and client versions

I did a factory reset on the router. I was able to get VPN working again.

Message 10 of 15
kiwirider
Aspirant

Re: OpenVPN broken with latest firmware and client versions

After you did the factory reset, which FW version do you have now?

Message 11 of 15
mfifield01
Tutor

Re: OpenVPN broken with latest firmware and client versions

It's working with .52. I tried to just update the certificates a few different times, but nothing worked. It must have kept the old certificate after the firmware update last month. I didn't want to reset, due to all the configurations. I just took 11 pages of screenshots before doing the reset.

Message 12 of 15
kiwirider
Aspirant

Re: OpenVPN broken with latest firmware and client versions

Thanks for confirming.  I think I'm going to have to do the same. But at least I don't have as many configurations to re-enter! 

Message 13 of 15
Ravepants
Aspirant

Re: OpenVPN broken with latest firmware and client versions

I did a factory reset last night and unfortunately it's still not connecting.
I am beginning to wonder if it is an issue with the the tap adapter install rather than the router, but I'm not sure, I get the mitm attack warning in the openvpn client, but not a lot I can do about that, but I have noticed when I launch my other vpn the tap adapter shows as active, but when I launch open vpn the netgear-vpn tap adapter doesn't even register its been activated.
Message 14 of 15
JZ_SmartMort
Guide

Re: OpenVPN broken with latest firmware and client versions

Make sure to download the Zip file again and import/copy into the OpenVPN config folder.

Also try going into client.ovpn and comment out the NETGEAR-VPN line by throwing a pound sign in front of it. Not sure why their config file binds to a specific network device name but that commenting out step worked for me.
Message 15 of 15
Top Contributors
Discussion stats
  • 14 replies
  • 2599 views
  • 2 kudos
  • 6 in conversation
Announcements