Re: Orbi RBK353 (350 with 2 satellites) VPN Error on Android mobile

Hi all,

I just switched from a nighthawk R6800 to an Orbi RBK353 mesh (router and 2 satellites). I am really pleased with the Orbi generally, except for the VPN service. 

I had a VPN on my R6800 which worked for 5+ years without issues. Setting up the same service on my Orbi with new client configs for my windows and android devices has been less than inspiring, I have managed to get the Windows service working, but only after many hours of trying various web posted solutions. The one that worked for Widows was to add a line at the end of the config "Remote-cert-tls server".

However, adding that to the Android config fail achieves nothing. I get the exact same error and am now going round in circles.  The full error message is:

Transport Error:OpenSSLCOntext::read_cleartext:BIO_read failed,cap=2576 status=-1:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed. 

My config file is standard as produced by the router for Android - a smart_phone.ovpn which is a unified config with the certs and keys included.

I am using a DDNS (which is updated and working).

Anybody got any ideas?

Thanks

Bummer.  This is using a config file produced by the new Orbi RBR350 router?

The Android configuration that I am using for an older Orbi RBR50 is this:

client
dev tun
proto udp
remote xxxxxxxx.mynetgear.com  12973
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----

OpenVPN Connect 3.3.1 , updated Feb 22, 2023 on Android 10.

The OpenVPN log file:

08:54:56.172 -- ----- OpenVPN Start -----

08:54:56.173 -- EVENT: CORE_THREAD_ACTIVE

08:54:56.175 -- OpenVPN core 3.git::d3f8b18b:Release android arm64 64-bit PT_PROXY

08:54:56.175 -- Frame=512/2048/512 mssfix-ctrl=1250

08:54:56.181 -- UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
13 [verb] [5]

08:54:56.181 -- EVENT: RESOLVE

08:54:56.392 -- Contacting 172.249.112.236:12973 via UDP

08:54:56.392 -- EVENT: WAIT

08:54:56.396 -- Connecting to [xxxxxxxxxx.mynetgear.com]:12973 (xxx.xxx.xxx.xxx) via UDPv4

08:54:56.585 -- EVENT: CONNECTING

08:54:56.588 -- Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client

08:54:56.588 -- Creds: UsernameEmpty/PasswordEmpty

08:54:56.589 -- Peer Info:
IV_VER=3.git::d3f8b18b:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.3.1-9079
IV_SSO=webauth,openurl


08:54:56.685 -- VERIFY OK: depth=1, /C=TW/ST=TW/L=Taipei/O=netgear/OU=netgear/CN=netgear CA/name=EasyRSA/emailAddress=mail@netgear, signature: RSA-SHA256

08:54:56.686 -- VERIFY OK: depth=0, /C=TW/ST=TW/L=Taipei/O=netgear/OU=netgear/CN=server/name=EasyRSA/emailAddress=mail@netgear, signature: RSA-SHA256

08:54:56.840 -- SSL Handshake: peer certificate: CN=server, 1024 bit RSA, cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD


08:54:56.840 -- Session is ACTIVE

08:54:56.841 -- EVENT: GET_CONFIG

08:54:56.843 -- Sending PUSH_REQUEST to server...

08:54:56.997 -- OPTIONS:
0 [dhcp-option] [DNS] [192.168.1.1]
1 [route-gateway] [192.168.2.1]
2 [topology] [subnet]
3 [ping] [10]
4 [ping-restart] [120]
5 [redirect-gateway] [def1]
6 [ifconfig] [192.168.2.2] [255.255.255.0]
7 [peer-id] [0]
8 [cipher] [AES-256-GCM]


08:54:56.998 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  key-derivation: OpenVPN PRF
  compress: LZO_STUB
  peer ID: 0

08:54:56.999 -- EVENT: ASSIGN_IP

08:54:57.021 -- Connected via tun

08:54:57.022 -- LZO-ASYM init swap=0 asym=1

08:54:57.022 -- Comp-stub init swap=0

08:54:57.023 -- EVENT: CONNECTED info='xxxxxxxx.mynetgear.com:12973 (xxx.xxx.xxx.xxx) via /UDPv4 on tun/192.168.2.2/ gw=[192.168.2.1/]'

My DDNS is also through No-IP.com

Very puzzling. Where did my log file differ from yours?

I dont know why, but any reply I put up here is disappearing. I have tried 4 times to respond with my log file but as soon as I hit post, the message flies off into the aether.

OK so that last one stayed up. It must be I'm doing something wrong with the log file. AS it is so small, I was pasting it inline directly to the post from a plain text file (so no markup). I can only assume the system has an issue with that for some reason. 

I can't see how to upload the file, as the attachment box below won't accept anything other than PDF or images.

I have attached the log as a PDF

Thanks for persevering to provide the OpenVPN log file.  Our log files differ at this point:

Mine:

08:54:56.685 -- VERIFY OK: depth=1, /C=TW/ST=TW/L=Taipei/O=netgear/OU=netgear/CN=netgear CA/name=EasyRSA/emailAddress=mail@netgear, signature: RSA-SHA256

Yours:

The difference appears to be that mine has CN=netgear CA/name=EasyRSA.

Yours has CN=netgear/name=changeme.

This information is found in the ovpn file after the first certificate. i.e.:

client
dev tun
proto udp
remote bednarhouse.mynetgear.com  12973
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
(certificate)
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear CA/name=EasyRSA/emailAddress=mail@netgear
        Validity
            Not Before: Jul 13 19:33:02 2018 GMT
            Not After : Jul  8 19:33:02 2038 GMT

Could you look at your ovpn file and see what is at that location?

Mine has:

Issuer: C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear/name=changeme/emailAddress=mail@netgear.com

I'll change that line to read the same as yours:

Issuer: C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear/name=EasyRSA/emailAddress=mail@netgear.com

I'll let you know shortly how that goes

OK, so I changed that line and 2 others where the CN had changeme as the name. I did them all one at a time until all were reading EasyRSA.

Unfortunately, the changes did not work. The log file still shows the same error, and shows the name=changme in the error message.

I have attached the config as a PDF (without the certs/keys contents) 

I think you missed the CN=netgear CA

CN=netgear(space)CA

you are correct that these appear in both the company and client certificates.

Seems very strange that your router would produce a smartphone.ovpn file that is different from mine.

Can you try downloading a new file to double check?

I cant see that. All the lines with CN=netgear/name=EasyRSA are the same

I have tried a new file a few times for belt and braces. I have to now assume that the Netgear server config is suspect on the Orbi, and is producing somewhat corrupted configs.

Even more interesting is that the OpenVPN for Android app is completely agnostic about the name tag. I have imported the new config (with the name= EasyRSA) and it still works.

---

@Shovel-SR wrote:

I cant see that. All the lines with CN=netgear/name=EasyRSA are the same

---

Two of the lines in mine have CN=netgear CA and one has CN=client

I missed that. I have made the change and still get the error, stating that CN=netgear/name=changeme !!

I can't see where that is coming from, unless it is embedded in the cert itself...

Then other OpenVPN app has an edit function that decodes the certs, and it definitely shows name=changeme, on both the CA and the Client certs.

I think that is the problem. The implementation of the server scripts is incorrect on the Orbi

@CrimpOn Thanks for all your help and efforts to resolve this issue. I think I am going to stick with using the OpenVPN for Android app, as it works no matter what the CN name is.

I have marked my earlier post as the solution, so anyone else with the same issues can hopefully go down the same road, and at least have a working VPN