Reply
Highlighted
Star

R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

PROBLEM DESCRIPTION:

In the past week or two I upgraded my router firmware to V1.0.9.12_1.2.23 and yesterday I an an update to my OpenVPN client on my andoid phone to version 1.1.23 (build 90).  Today when trying to connect to my home network it would not connect. The message I received was: "OpenVPN server certificate verification failed : mbed TLS: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed"

 

I had a look at the client log on my phone and the error message is as follows:

Verify FAIL - The certificate is signed with an unacceptable hash : depth=0

cert version : 3

serial number : 1

issuer name : C=TW,ST=TW, 0O=Netgear, OU=netgear, CN=netgear, CN=netgear, emailAddress=mail@netgear.com

issued on : 2014-06-08

expires on : 2024-06-05

signed using  : RSA with MD5

RSA key size : 1024bits

Basic Constraints : CA=false

cert type : SSL Server

 Transport error: mbed TLSSmiley FrustratedSL read error : X509 - Certificate verification failed, e.g. CTRL, CA or signature check failed.

EVENT : CERT_VERIFY_FAIL info=mbed TLSSmiley FrustratedSL read error : X509 -Certificate verification failed, e.g. CRL, CA or signature check "failed"

EVENT : Disconnected

 

ACTION TAKEN:

  1. Disabled the OPENVPN server on the router R7000 and logged out.
  2. Logged back in and re-enabled the OPENVPN server and generated a new Smartphone.zip file
  3. uploaded the new files to my phone
  4. deleted the old profile and created a new one uing these new files.
  5. Same problem and the client logs are the same!
  6. Since I have another profile for a different Router that I sometimes connect to (Asus RT-AC87U) I tried connecting to it from my phone and it connected without incident! Note: The asus router uses the following:  rsa key of 1024 bits   signed using RSA and SHA1 NOT MD5 as is the case on the R7000

 

ACTION PLAN:

  1. Looking for feedback on how to resolve this issue.
  2. Looking for ETA for the fix if the issue is with the Router R7000.
  3. This worked before and the last time I tried it used a VPN connection was about 3 to 4 weeks ago.

 Questions:

  • is the issue with the new client installed on the phone, however it seems to work with the ASUS router without incident?
  • is the issue with the firmware on the router, being the openvpn implimentation?
Model: R7000|AC1900 Smart WIFI Router
Message 1 of 28
Highlighted
Aspirant

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Netgear,

 

I have the same make and model and firmware as HVOSPkxa, and per OpenVPN's website, https://docs.openvpn.net/faqs/faq-regarding-openvpn-connect-android/ states the following.

 

How do we generate, from the router, a SHA256 with RSA crt now?

 

certificate verification failed : x509 - certificate verification failed, e.g. crl, ca or signature check failed
This is not a bug in OpenVPN but is because of a faulty certificate, possibly because of MD5 type signature algorithm being used. To test if this is the case, get the CA certificate or the client certificate public key, and run it through the test below on the command line using openssl on a Windows, Linux, or Macintosh computer, to determine what signature algorithm is used. If it is MD5, then that is no longer supported. MD5 is broken and not supported anymore.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 2 of 28
Highlighted
Star

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

I ran my original ca.cert file (ca_org.crt) and the new one generated at my current level of firmware (ca_new.crt) using the openssl command mentioned from the OpenVPN web site above and received the following:

 

test@Lubuntu-1:~/Desktop$ openssl x509 -in ca_org.crt -noout -text | grep "Signature Algorithm"
Signature Algorithm: md5WithRSAEncryption
Signature Algorithm: md5WithRSAEncryption
test@Lubuntu-1:~/Desktop$ openssl x509 -in ca_new.crt -noout -text | grep "Signature Algorithm"
Signature Algorithm: md5WithRSAEncryption
Signature Algorithm: md5WithRSAEncryption
test@Lubuntu-1:~/Desktop$

 

Seems the problem is due to the MD5 type signature algorithm which is being used.

Message 3 of 28
Highlighted
Tutor

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

https://www.bbb.org/losangelessiliconvalley/business-reviews/internet-services/netgear-in-san-jose-c...

 

I plan to file a complaint as NG will never fix this without some force. Please join me.

Message 4 of 28
Star

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

I just received a new openVPN client for my Android phone. I am now able to reconnect to my home router. The issue is to do with md5 as stated on the changed to the new client:
Changes from 1.1.23 to 1.1.24:
* relax the certificate validation in mbedTLS to allow certificates with broken date format to connect
* re-enabled deprecated and insecure md5 signature algorithm. Support for md5 will be officially DROPPED on Apr 31st 2018
Changes from 1.1.22 to 1.1.23:
* fix connection issues to servers supporting only TLS1.0, which was causing crashes on very old vpn servers (< 2.3.7)
Changes from 1.1.21 to 1.1.22:
* fix for importing profiles using external certificates

Netgear seems to have till April 31 2018 to change from md5 to something else like sha2 possibly.

Would still like to know what Netgear's plans are to come up with a permanent fix to this issue.

Message 5 of 28
Highlighted
Aspirant

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

I had the same successful outcome with the updated OpenVPN 1.1.24 build 92 app now using the same exact cert from the router.

We'll see come April 2018 netgear ;-)
Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 6 of 28
Highlighted
Master

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Hi All,

 

I would like to verify if the issue has been resolved with the latest OpenVPN client for Android.

Message 7 of 28
Highlighted
Star

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Currently my OpenVPN connection to my netgear router is working with the latest Android OpenVPN app.

 

This being said Netgear definitely needs to change from MD5 to SHA1(at minimum) or SHA2 as soon as possible.  This is particularly important, since MD5 will no longer be supported by OpenVPN clients in the near future and the fact that MD5 is not secure! I trust that Netgear values their customers and is commited to implementing the best network security features, and resolving security exposures as quickly as possible.

 

I would like to thank yo for follwing up and look forward to new firmware with the added network security implemented for OpenVPN.

 

As a separate issue, but related to security, would it be possible to implement being able to add a userid and password feature for the OpenVPN server that is implemented. Meaning not only does one need to have the files generated by the router to setup the client, but when connecting to the router an extra step of authentication using userid and password would be required.  The current implementation is that anyone who has the files generated by the router can access my home network.  

 

Once again the Asus router that I connect to has this feature and provides much greater security. 

 

I look forward to hearing from you.

Message 8 of 28
Highlighted
Master

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Hi HVOSPkxa,

 

The concern regarding the MD5 has been raised already. We will update you for any feedback.

Message 9 of 28
Highlighted
Star

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Looking forward to receiving a fix to this issue.  

 

Any response/updates regarding the extra layer of security when setting up OPEN VPN and adding Authentication... userid and password before being able to access the network?  Should I open up a new entry to track this request?

 

Thanks 

Message 10 of 28
Highlighted
Master

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Hi HVOSPkxa,

 

You can post it under Idea Exchange board as feature request.

Message 11 of 28
Highlighted
Aspirant

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

I wanted to check in on the status of the OpenVPN client for the R7000 getting updated prior to April to use something other than MD5?
Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 12 of 28
Highlighted
Star

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Feb 3, 2018

Since this post was started we have seen several firmware updates to address issues for this router, but the latest version of firmware for the R7000 seems to have broken my VPN connection once more.  (V1.0.9.18_1.2.27)

In the past my client files did not need to be updated to allow my android device to connect following a firmware upgrade. This time I had to generate new client files, upload them to my device but could not connect.  I decided to reset the router (using the 30-30-30 procedure found on the DD-WRT site), and created new client files once more, but to no avail. In addition to this I also had to manually input my configuration once more into the router following the upgrade.  Obviously I also had to manually input the configuration again after doing the reset which is to be expected.

Because of this experience, I decided to spend time building my own OpenVPN server until Netgear can stabilize their firmware and provide me with a good solution to both issues; secure OpenVPN and provide a clean working firmware upgrade path where one does not have to reset the router and re-enter the configuration manually often times. Ideally the configuration parameters should be saved, the firmware upgraded, the router reset to the factory defaults and then re-apply the configuration as part of the firmware upgrade. This is essentially what you are asking thousands of people to do when the upgrade does not work… automating and/or fixing this process is a definite requirement for the end user community.

For those who want to build their own stable OpenVPN server you have a couple of options:

Option #1:  This procedure is somewhat complicated but a great learning exercise. This is the solution I implemented and is working very well.

  1. Forward ports 1194 UDP on your Netgear router to a virtual machine or a physical computer you will use to build the OpenVPN server.
  2. Download Ubuntu 16.04 server https://www.ubuntu.com/download/server
  3. Create the virtual machine and install Ubuntu server. If you are using a physical computer install Ubuntu server on the computer.
  4. Follow these instructions to the letter and you will have a secure, stable OpenVPN server. https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

Option #2:  This procedure still required either a Virtual machine or a physical computer.  I realized that I had built my own NAS box using OpenMediaVault (OVM) and there is a plug-in for OVM that will run an OpenVPN server on the NAS box. You do not need to actually use the NAS software to run a NAS box but can simply install it, download the Plug-ins and the setup for the OpenVPN server and to generate client files is super simple.

  1. Create a Virtual machine or use a physical computer
  2. Download and install OpenMediaVault https://www.openmediavault.org/ on either Virtual machine or the physical computer.
  3. If you follow the OVM website you will eventually end up here to obtain the Plug-ins for OMV http://omv-extras.org/joomla/
  4. The instructions to download and install the plugins are found here: http://omv-extras.org/joomla/index.php/guides  The OMV NAS box is managed from a nice GUI interface accessed from pointing a Web browser to the IP address of the NAS server.

I have also tested this OpenVPN server solution and it too works very well.

In addition to this OpenVPN server working well under OpenMediaVault it also allows one to use PAM to authenticate with the server using a userid and password as a secondary security measure in the event your OVPN files are copied by someone else.

I do hope that Netgear will release a stable release of firmware with fixes to the OpenVPN server issue before the end of May and will provide a better upgrade experience to their customers in the future. I definitly look forward to being able to use one piece of hardware (being the router) to manage all or most of my networking needs which is the reason I purchased this router in the first place!

 

Feb 12, 2018

I upgraded my firmware to version V1.0.9.26_10.2.31 and it seem the client certificate is still indicating the certificate is signed using MD5.  Signature Algorithm: md5WithRSAEncryption  

The RSA key is still only 1024 bits, whereas the norm seems to be 2048 bits.   Public Key Algorithm: rsaEncryption   RSA Public Key: (1024 bit)

    

According to the following OpenVPN web site support for MD5 ends at the end of May, which means we will either not be able to use OpenVPN from our router or that we are in for at least one more firmware upgrade.  Let’s hope a manual reconfiguration of the router will not be required once more.

https://docs.openvpn.net/faqs/faq-regarding-openvpn-connect-android/  

      

I have not tried to use these new client files on my Android device as both of my OpenVPN servers are working very well.  I have decided to wait until Netgear has come up with an acceptable solution before going back to the routers OpenVPN solution.

Message 13 of 28
Highlighted
Master

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Hi HVOSPkxa,

 

NETGEAR is working on the new certificate for OpenVPN which will be released before the deadline.

Message 14 of 28
Highlighted
Aspirant

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Has the latest firmware (1.0.9.28) changed from MD5 to SHA2?

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 15 of 28
Highlighted
Star

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Good Question!!!   The Release note are anything but specific.....

The release notes indicate the following:

New Features and Enhancements:

  • Supports Auto Firmware upgrade

Bug Fixes:

  • Fixes security issues. ====> Not sure what it fixes??????????????????????

Note: Firmware starting 1.0.7.12 will not include Arlo functionality

To Install

Note: To avoid wireless disconnect issue during the firmware download process, NETGEAR recommends that firmware upgrade be performed on a computer with wired connection.

  1. Write down all the settings which you changed from the default values, since you may need to re-enter them manually.
  2. Using the Download Link below, download and extract the new firmware to a convenient place such as your desktop. The filename after extracting is R7000-V1.0.9.28_10.2.32.chk

    Download Link: http://www.downloads.netgear.com/files/GDC/R7000/R7000-V1.0.9.28_10.2.32.zip

I logged into my router and checked to see if there was an update and it indicated there was not. See attached file.  Hopefully someone can confirm as I do not want to go through another firmware update only to find out the issue is NOT resolved.

 

 

 

Message 16 of 28
Highlighted
Master

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Hi All,

 

The new OpenVPN is not yet included on the new firmware. We will update you as soon as it is available.

Message 17 of 28
Highlighted
Aspirant

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Any news on this one?
Message 18 of 28
Highlighted
Star

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Seems that Netgear has released a "Hot Fix Update" to address the issue.

 

R7000 Firmware Version 1.0.9.30 - Hot Fix

New Features and Enhancements:

  • Supports Auto Firmware upgrade

New Features and Enhancements:

  • OpenVPN cert update (from MD5 to SHA256)

Bug Fixes:

  • Fixes security issues.

Link ro firmware is here:
https://kb.netgear.com/000057097/R7000-Firmware-Version-1-0-9-30-Hot-Fix

 

Message 19 of 28
Highlighted
Master

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Hi All,

 

Please provide us feedback with the hotfix for R7000 which will support the SHA256 certificate.

Message 20 of 28
Highlighted
Aspirant

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Hotfix works for me, tx!

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 21 of 28
Highlighted
Virtuoso

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting


@JamesGL wrote:

Hi All,

 

Please provide us feedback with the hotfix for R7000 which will support the SHA256 certificate.


works perfectly for me too

Message 22 of 28
Highlighted
Aspirant

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

I must be missing something here. I updated to R7000 Firmware Version 1.0.9.30 - Hot Fix, exported certificates after that, saved to my phone, imported the profile into OpenVPN and get a "There was an error attempting to connect to the selected server" on the application itself.

I'm guessing i'm doing something wrong if two others were able to get this to successfully work?

Any help, or steps, are appreciated.
Message 23 of 28
Highlighted
Aspirant

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

I had the same error at first as well.  Restarted router again, switched off openvpn app on my iphone (pressed home button twice and swiped app away), then started the app again.  After that connection was made with new profile without a problem. Not sure which of the 2 re-starts did the trick.

Message 24 of 28
Highlighted
Aspirant

Re: R7000 firmware V1.0.9.12_1.2.23, Android client 1.1.23 build 90, OPENVPN no longer connecting

Thanks for the quick response. I tried that as well unsuccessfully. What is happening is after a reboot via unplug/re-plug i get the below message, i click the update button displayed under the message, the status bar moves about 10% then the router goes right into the normal administration/management page(s). It's as if it skips the update process it is trying to do and never completes.

 

<<Attention>> A new OpenVPN configuration package for your router is available that enhances your router's security. You must update the OpenVPN configuration package for your router. Once the OpenVPN configuration package is updated, you must update the OpenVPN configuration package on all your clients; otherwise, your clients won't be able to access your router using the VPN feature.

Message 25 of 28
Top Contributors
Discussion stats
  • 27 replies
  • 5983 views
  • 1 kudo
  • 7 in conversation
Announcements