Orbi WiFi 7 RBE973
Reply

SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS

SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS

Hi,

Based in the UK, have a third party DSL router which provides Internet access. This is connected to our SXK30 on its WAN port. All VLANs on the Orbi Pro network can surf the Internet fine.

On SXK30, needed a VPN with DDNS, so setup a no-ip account. Enabled VPN and Dynamic DNS, copied OpenVPN config setup, all VPN passthrough traffic worked through DSL router and could access the Orbi Pro admin over VPN. All good.

We now have a static Internet address, so don't need no-ip and other DDNS services, so turned off Dynamic DNS in the SXK30 menu and that was when the issue started.

When I downloaded the OpenVPN config files, the .ovpn file is showing 0.0.0.0 as the destination server and not the static external address of the router. Even if I change the IP address within the .ovpn file to the actual static Internet address, OpenVPN still won't connect because the key was created when the target was 0.0.0.0

So the question is, how (with the Dynamic DNS off) can I tell the VPN listener on the SXK30 to create a key for the external DSL router address and not default to 0.0.0.0?

TIA

BSG

Message 1 of 13
schumaku
Guru

Re: SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS

Put in the IP address you want into the remote field of the .ovpn file.

Message 2 of 13

Re: SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS

Hi,

Manually adding the actual external address client.ovpn, on the remote line doesn't work.
Whilst that config file correctly routes the client through to the external router and the router passes though the TAP traffic through to the Orbi Pro, the encryption key doesn't recognise that external address, so you get a yellow status, rather than the green status.

When you download the VPN file set from the Orbi Pro VPN admin page (ca.crt, client.crt, client.key and client.ovpn) they all rely on the external IP address that the Orbi Pro can see at the time of the generation, which being dynamic DNS is turned off, is 0.0.0.0

There needs to be an an additional option on that file generation page that says "Manually enter external Internet address that will be used : xxx.xxx.xxx.xxx".

I'm thinking that maybe a workaround would be to activate Dynamic DNS, create a no-ip account with a temp hostname. Set that hostname to be the external IP address. The Orbi Pro VPN config would pull that external address from no-ip and use it when creating the encryption key. 

 

Once the correct key is made, hopefully dynamic DNS could be disabled rather than every 30 days, keeping the temp hostname alive and that with the VPN active with the correct IP in the key AND the .ovpn file, the whole system will work.

Message 3 of 13
schumaku
Guru

Re: SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS


@BrainSuperGlue wrote:

Manually adding the actual external address client.ovpn, on the remote line doesn't work.


You can enter any valid IP4 or DNS hostname there, of course.

 

@BrainSuperGlue wrote:

Whilst that config file correctly routes the client through to the external router and the router passes though the TAP traffic through to the Orbi Pro, the encryption key doesn't recognise that external address, so you get a yellow status, rather than the green status.


The OpenVPN client does offer a Show Log File (naming depends on the language version) along with the OpenVPN, nicely accumulated with timestamps. 

 

Post the log file (with the DNS name or IP address xxxx-ed), and we can have an eye on it.

 

@BrainSuperGlue wrote:

When you download the VPN file set from the Orbi Pro VPN admin page (ca.crt, client.crt, client.key and client.ovpn) they all rely on the external IP address that the Orbi Pro can see at the time of the generation, which being dynamic DNS is turned off, is 0.0.0.0..


None of the OpenVPN certificates generated does contain any reference to the IP or th hostname - these are always the same. This isn't https.

 

Yes, there are some or several shortcomings in this design, for example can the keys not re-generated from scratch.  

 

@BrainSuperGlue wrote:

There needs to be an an additional option on that file generation page that says "Manually enter external Internet address that will be used : xxx.xxx.xxx.xxx"..


For the few users with static IP addresses, this would be nice.

 

 

 

Message 4 of 13

Re: SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS

Hi,

In regards to adding IPv4 or DNS hostname in the .ovpn config, true but the issue still exists that where is some extra checking which is still seeing 0.0.0.0, even thought the external lookup is correct.

With the client.log, the settings given by the Orbi Pro config show as the following warnings and deprication in the OpenVPN logging.

"2024-03-29 04:24:21 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2024-03-29 04:24:21 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations."

I had these when the VPN was working and pulling the external address from dynamic DNS, so these don't appear to be the issue why the handshaking isn't completing.

The question remains, given in the UK, given we have to use a DSL modem which provides passthrough, how can we make the Orbi Pro automatically see what the external Internet address has been allocated to the connection.

We know that the Orbi Pro mesh can route correctly to the Internet given we can do whatismyip.com on any browser on any VLAN and it will show us.

Why then, when dynamic DNS is turned off, can't the Orbi Pro firmware pick up the external Internet address even though it can see it and still provides 0.0.0.0, plus how can we, even if we have to go into the command line on the Orbi Pro, manually tell it the external IP address, if it won't pick it up itself?

TIA
BSG



Message 5 of 13
schumaku
Guru

Re: SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS


@BrainSuperGlue wrote:

In regards to adding IPv4 or DNS hostname in the .ovpn config, true but the issue still exists that where is some extra checking which is still seeing 0.0.0.0, even thought the external lookup is correct.

With the client.log, the settings given by the Orbi Pro config show as the following warnings and deprication in the OpenVPN logging.

"2024-03-29 04:24:21 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2024-03-29 04:24:21 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations."

I had these when the VPN was working and pulling the external address from dynamic DNS, so these don't appear to be the issue why the handshaking isn't completing.


None of these messages (and likely the problem you are facing) is caused by setting your IPv4 address or the hostname. Much more, Netgear has massive backlog, and has still not updated the OpenVPN implementation (certainly not on the Orbi Pros) to fit the last changes put in pace by the OpenVPN team.

 

@BrainSuperGlue wrote:

The question remains, given in the UK, given we have to use a DSL modem which provides passthrough, how can we make the Orbi Pro automatically see what the external Internet address has been allocated to the connection.

We know that the Orbi Pro mesh can route correctly to the Internet given we can do whatismyip.com on any browser on any VLAN and it will show us.

Why then, when dynamic DNS is turned off, can't the Orbi Pro firmware pick up the external Internet address even though it can see it and still provides 0.0.0.0, plus how can we, even if we have to go into the command line on the Orbi Pro, manually tell it the external IP address, if it won't pick it up itself?


Not many subscribers have fixed (more static IP addresses assigned to dynamic connection).

 

You could (for example)

  • put in the fixed assigned IPv4 address (as it's static anyway), or
  • put up an own DNS service, with an A name pointing to that fixed IP address, or last but not least,
  • keep DDNS operational.

Nothing specific to the UK, valid all around the world, with very few exceptions.

 

Your proposal or idea to allow an additional config option is of course valid. Not sure Netgear can and will pick this up for the OpenDNS revision overdue anyway. You could try and file a feature request ...

 

 

Message 6 of 13

Re: SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS

Hi,

In relation to "put in the fixed assigned IPv4 address (as it's static anyway)"
Put the static IPv4 address where?, given that DDNS isn't active.

Thanks

BSG

Message 7 of 13
schumaku
Guru

Re: SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS

Iuto the OpenVPN config file I had in mind

Message 8 of 13

Re: SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS

Sorry, I don't understand what you mean by luto.
Can you clarify?
Thanks.

Message 9 of 13
schumaku
Guru

Re: SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS

I hsd the OpenVPN config file I had in mind ... typo, sorry 

Message 10 of 13

Re: SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS

So then, the 0.0.0.0 VPN issue still exists.

How can I raise a feature request covering "When DDNS is turned off on Orbi Pro, a place on the VPN configuration webpage to manually enter the external IP address the VPN traffic would be coming from" ?

Thanks

BSG

Message 11 of 13
schumaku
Guru

Re: SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS

Message 12 of 13

Re: SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS

Message 13 of 13
Top Contributors
Discussion stats
  • 12 replies
  • 729 views
  • 1 kudo
  • 2 in conversation
Announcements