Discussion stats
Announcements

Top Contributors
Reply
Highlighted

VPN Configuration Files

I set the VPN connection on my Nighthawk and followed the instructions of downloading OpenVPN configuration files. I have determined these configuration files do not need any password or login information once installed on a device.

However, I ran into a situation where I need to generate new configuration files and prevent the previously generated from connecting to the vpn service. I failed to prevent the old files. I tried changing the router passwords and ip address to no success. Old configuration files always can connect. How do I prevent such thing?

This is very annoying as there are no VPN accounts (i.e. username and password). It would be nice if accounts can be added or access controlled in a more professional way. I appreciate if someone can advise on a solution for this annoying problem.

I'm not a very big fan of Open VPN. There is very limited control to standard users.

Message 1 of 63
Highlighted

Re: VPN Configuration Files

I have turned VPN feature off as a previous employee had VPN access and I can't find a way of stopping his access. I'm very disappointed as VPN was a key feature when I selected this router.

Note I also have Asus Dark Knight used somewhere else with VPN activated. It is working flawlessly and you have to create an account for each user. The way it is supposed to be.
Message 2 of 63
Highlighted
Aspirant

Re: VPN Configuration Files

if you go in the openvpn directory and open it up there should be a few sub directories. open the config.conf and edit it with notepad ++( free from notepad plus plus.org). or you can create your own set of config files, certificates, usernames and passwords. go check out the howto at the openvpn website. you open a command prompt and follow the instructions or if you have paid vpn service they have pre packaged that is usually easy to get working. I have my kindle ( basically android) which is wireless running openvpn and it goes through the router with no issues.
If they would have done the sensible thing and just incorporated the openvpn client / server into the router itself then you just have iptables and username/passwords.it takes awhile to get used to openvpn.I will have to check out the dark night router to see what it is like.
Message 3 of 63
Highlighted

Re: VPN Configuration Files

Thank you hulltech. But from your reply I understand the adjustments are on the configuration files level and are not on the router platform. In other words, this will only require a password from the device where the configuration files reside.

It shouldn't be this hard. Again, the platform for VPN use should be easier and more flexible. I'm not much into manual adjustments and the entire process should not be as complicated.

Why I can't simply add a usernames and passwords for VPN access? Again, please check the Asus Dark Knight platform.

I hope a firmware update will resolve this issue.
Message 4 of 63
Highlighted
Aspirant

Re: VPN Configuration Files

Yea on the one side it's nice that the VPN Config is so easy but on the other side i don't know why it's not possible to configer the Connection for different users seperated.

Thats should be state ot the art.

So it's not possible to disable the connection for a specific user. If you genreate a new certificate - the old ones are stil working.

I hope this will be changed in a new firmware version.Smiley Sad
Message 5 of 63
Highlighted
Tutor

Re: VPN Configuration Files

Having done this whole process manually with a normal OpenVPN server on DD-WRT in addition to the Netgear way with the stock firmware, I'd like to point out a couple of things. First of all, this is clearly not an Enterprise-level solution. If you are trying to use the R7000 with employees, businesses, etc., you need to look for a better solution elsewhere. This is not a fault of the OpenVPN product itself, because it can be configured to do all of the things you want it to do. The ability to revoke certificates, set passwords on client keys, etc. is all possible in a regular OpenVPN setup. However, in the interest of making this as simple as possible for a home user who might want to access resources on the home network while away from home, Netgear greatly simplifies this process by glossing over many of the usual options an administrator would have access to. If you wish to continue using the R7000 as a VPN server for employees, etc. (a use which goes way beyond what this product is intended for), you have at least two options:

- Disable the VPN server on the stock firmware, setup a separate OpenVPN server on the internal network, and forward all new VPN requests from the outside to this new server.

- I know this is generally frowned upon in these forums (but there really aren't many other options for this), but install DD-WRT or Tomato firmware and use the OpenVPN server provided by either of them. There will be more options available, but this also opens the door to things being setup improperly.
Message 6 of 63
Highlighted

Re: VPN Configuration Files

I do not see using the router at very small business a problem. I do not need robust solutions for my business.

Let me make a new scenario for this case.

Two happily married couple remotely accessing their files at home using VPN connection on R7000. The weather went bad and they had to get divorced. The angry wife does not want her husband to access her files anymore. She is out of budget and can't buy a new router. Actually, she thought she had the best router ever.

Can anyone solve her problem (other than proposing for marriage?) Smiley Happy
Message 7 of 63
Highlighted
Tutor

Re: VPN Configuration Files

Hehe, I get what you're saying. It does seem bad even for home use to not have a way to revoke certificates. While OpenVPN did think this through and does have a way to do this (through certificate revocation lists), it isn't available with the Netgear configuration. In fact, I wonder if they even bother to make these certificates unique, or if I can connect to any R7000 running this VPN service? :eek: I was poking at the certificates downloaded from mine, and it was generated back in April 2013 (which means your cert will probably finally expire in 2023!) by a guy named Allen in Taipei, Taiwan who uses gunfighter@mail2000.com.tw for his e-mail address. This doesn't inspire a lot of confidence in me that we each get unique certificates generated when the service is enabled... :rolleyes: I'd prefer to be able to specify my own, which would also solve your problem since you could effectively invalidate the previously used certificates by swapping them out for new ones. In the meantime, I'm starting to think this is actually a huge security risk to even enable this option unless I can find some confirmation that they have a process in place to make these certificates unique for each instance in which they are enabled. :mad:
Message 8 of 63
Highlighted
Aspirant

Re: VPN Configuration Files

You don't even get a info that someone is connected through VPN.

Well you can find a note in the log between 100 other messages.
You find the connected client in "Connected devices" but no info that the client is connected with VPN

That are basic features.... i don't need the features of a business router but the basic's are missing.

Creating a user account for each VPN User is nothing special.
To get a feedback if someone is connected with VPN is nothing special.

If i had known that the VPN Options are so poor i would have chosen a different model.
Message 9 of 63
Highlighted
Aspirant

Re: VPN Configuration Files

LoL,

As I am struggling getting my RaspberryPi connected through OpenVPN to the R7000, I saw the same mail-address coming by.

After googling the address, I found the following article:
Official Publication
One of the main engineers is "Cheng-Jung Wen" from ZyXEL communications corporation in Taiwan and his e-mail address happens to be: gunfighter@mail2000.com.tw

Is the guy working at netgear now ?
Are the OpenVPN settings being integrated/generated by ZyXEL?
Is my Netgear R7000 actually a Zyxel?

LoL
Message 10 of 63
Highlighted
Aspirant

Re: VPN Configuration Files

Oh my gosh! This info enlightenment on Netgear's poor insecure implementation of the OpenVPN on the R7000 is alarming! I bought this router recently with dependency on using the VPN functionality and was disappointed to find out that they don't support VPN access methods for Android tablets and cell phone devices. Now I read this thread about the limitation of not being able to remove undesired user certificates and that really is a BIG security exposure and risk. I am returning this R7000 for sure now as I don't like what I just found out about their VPN implementation.
I bought a Asus RT-AC68P and it has a decent VPN solution that I like and use. It's just like my older RT-N66U router and is better than Netgear's VPN offering.
I can't believe they (Netgear) would put such poor solution out exposing so many people to hackers.
Message 11 of 63
Highlighted
Aspirant

Re: VPN Configuration Files

Granted, I have been disappointment by Netgear's OpenVPN implementation as well and have looked at the ASUS but was concerned to learn that it is a PPTP VPN which ordinanrly is fine but a bunch of places block multiple ports and I find that a lot of the time that includes the PPTP.

Dan
Message 12 of 63
Highlighted
Aspirant

Re: VPN Configuration Files

The horrible VPN implementation, requiring me to use an old 32-bit version of OpenVPN on a 64-bit Windows box, and still unable to connect from my Linux computers, is the 2nd big reason I'm seriosly looking into flashing an alternative firmware on my R7000.

The other is the lack of a realtime bandwidth graph. Inexecusable.
Message 13 of 63
Highlighted
Novice

Re: VPN Configuration Files

This is absolutely ludicrous. I can't believe that NetGear has not fixed this huge security flaw yet! :mad: I want a refund for the device I purchased, this is just unbelievable. We should get a class action lawsuit together or something.
Message 14 of 63
Highlighted
Aspirant

Re: VPN Configuration Files

I suggest not to use the OpenVPN server of R7000. You cannot change the server side config with R7000 GUI. You cannot change the key and cert. So, the OpenVPN server is useless.
Message 15 of 63
Highlighted
Star

Re: VPN Configuration Files

This is crazy! WTF netgear. Fix this.

Support passwords, and auto generate unique certificates. Very simple to do.

My 6 year old programmer can do it for you.
Message 16 of 63
Highlighted

Re: VPN Configuration Files

One full year after I posted the original thread have passed.  This thread is celebrating its 1 year birthday.

 

During this year, I bought a new laptop, changed my ip address, updated the router's firmware sevearl times, retired some items, and bought some new items.  I decided to re-visit this thread to check if anyone from NG replied. I also decided to give those old configuration files a try. 

 

I activated the VPN on the router and tried to connect........................It connected as if it was yesterday.

 

I am amazed how such critical security issue is not given any attention or priority.  On security breach, this is "fatal" category.  People should be warned and NG should do something.

 

What an aboslute disaster on privacy terms and security. I feel like the engine on my Sportscar belongs to a compact.

Message 17 of 63
Highlighted
NETGEAR Moderator

Re: VPN Configuration Files

Hi All,

 

This has been forwarded and we are still checking if it is possible. I will provide an update as soon as I have feedback.


Regards,

 

JamesGL
Community Team

Message 18 of 63
Highlighted
Aspirant

Re: VPN Configuration Files

I must have missed this since it seems so simple.  I need my Client1 config setting to work with TCP, not UDP (the default).  I can't edit the config file in the OPENVPN GUI.  I can make the changes on notepad but it will not let me save them.  Sorry if this is an easy thing but I can't figure it out.  Thanks.

Message 19 of 63
Highlighted
NETGEAR Moderator

Re: VPN Configuration Files

Hi @bubffan,

 

May I know what configuration did not work that is whay you wanted it to be set in TCP. Even using UDP, everthing should work with OpenVPN.

 

Regards,

 

JamesGL

Community Team

Message 20 of 63
Highlighted
Aspirant

Re: VPN Configuration Files

I'm using tigerVPN who says they only work with TCP.

Message 21 of 63
Highlighted
NETGEAR Moderator

Re: VPN Configuration Files

Hi @bubffan,


The config file is use for OpenVPN only as it is the only VPN service that the router is using which means the config file is not applicable for other VPN service.


Regards,

 

JamesGL
Community Team

Message 22 of 63
Highlighted
Aspirant

Re: VPN Configuration Files

Any updates regarding this security issue?

 

Message 23 of 63
Highlighted
Initiate

Re: VPN Configuration Files

We seriously need an update to fix this massive security problem. We need a way to revoke certificates !!! What if your phone gets stolen etc. Then you are forced to disable VPN and not turn it on ever again.

Message 24 of 63
Highlighted
Aspirant

Re: VPN Configuration Files

I just setup a new router, was going to test out OpenVPN, and was looking for a way to regen certificates also.

 

So do they really ship the same keys with every router? That would mean you only need to change the remote setting in the client.ovpn then connect to any Netgear router that has their vpn activated and you have free reign of their network.

 

Good job Netgear. Want to know why you're being hacked?

Message 25 of 63