×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

Orbi CBR 750 with OpenVPN for home setup?

j4x4
Aspirant

Orbi CBR 750 with OpenVPN for home setup?

Hello,

I got some great help from Netgear on my OpenVPN install. It's up and running on my Orbi.

Next step is to install certificate authentication to secure the connection. Does anyone have experience with this step? I cannot find anything on the community pages here.

Thanks in advance,

J

Message 1 of 15
FURRYe38
Guru

Re: Orbi CBR 750 with OpenVPN for home setup?

Netgear has set up a community forum specifically for the Cable Modem products. Most of the people who watch that forum are more likely to have experience with Cable modems and know how to work it better than those of us who follow this router forum. Might be more likely to find someone who has a solution if the question is posted there:
https://community.netgear.com/t5/Cable-Modems-Routers/bd-p/home-cable-modems-routers

Thank you.

Message 2 of 15

Re: Orbi CBR 750 with OpenVPN for home setup?


@j4x4 wrote:

 

I got some great help from Netgear on my OpenVPN install. It's up and running on my Orbi.

Next step is to install certificate authentication to secure the connection. Does anyone have experience with this step? I cannot find anything on the community pages here.

 

This one comes up from time to time. I don't know where you looked –but I found several other messages on the community pages here. This might help:

 

Search - NETGEAR Communities – OpenVPN certificate

 

As that search shows, it is a generic issue that a[p[lies to all routers. that support OpenVPN.

 

PS Unless you hit a brick wall and hit something specific to your hardware, please don't waste your, and anybody else's, time chasing off into other areas of this community. Life's too short. Next to no one follows the section you were directed to. The answers you get there, if there are any, will be the same as you get here. As the link above shows, it is a generic router issue. Best dealt with here first. It is the busiest section for router issues.

Message 3 of 15
CrimpOn
Guru

Re: Orbi CBR 750 with OpenVPN for home setup?


@j4x4 wrote:

Hello,

I got some great help from Netgear on my OpenVPN install. It's up and running on my Orbi.

Next step is to install certificate authentication to secure the connection. Does anyone have experience with this step?


Can you please provide a link to where the need for this step is described?

 

I set up OpenVPN on two Orbi systems.  Orbi creates the needed certificates and host/client keys and includes them in the ovpn files (separate files for Windows.  "all-in-one" file for smartphone and non-windows).

 

The connection is secure because only the Orbi and the client have this information.

Message 4 of 15
j4x4
Aspirant

Re: Orbi CBR 750 with OpenVPN for home setup?

Hello,

Thanks for getting back to me. When I run the OpenVPN GUI I get these error messages in red:
Wed Oct 20 19:07:02 2021 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Wed Oct 20 19:07:02 2021 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
Wed Oct 20 19:07:03 2021 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Oct 20 19:07:04 2021 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Wed Oct 20 19:07:04 2021 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0
Wed Oct 20 19:07:09 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
***
I am not sure where to make these fixes ... do I need to add these lines to the actual code? Just not sure how to fix this one ...

Message 5 of 15
j4x4
Aspirant

Re: Orbi CBR 750 with OpenVPN for home setup?

I keep getting warnings that state no certificate verification has been enabled. I installed OpenVPN 2.5.4 on my Windows 10 machine.

The same warnings directed me to visit the OpenVPN website. When I tried to get help there, the posts I found directed me ... back here.

Searching on this page led me here:

https://openvpn.net/community-resources/how-to/#numbering-private-subnets

But the most recent version of OpenVPN referred to is 2.3.x.

Before I go through all of the steps described for that, I want to know if there is a better/easier/other way to generate certificates with OpenVPN 2.5.4

I saw other posts here that said it's automatic, but that has not been my experience so far.

Thanks again for any help you can offer.

 

Message 6 of 15
CrimpOn
Guru

Re: Orbi CBR 750 with OpenVPN for home setup?

That OpenVPN page is pointing out that the "local LAN" subnet for the client machine must be different from the local LAN for the host.

i.e. If the Orbi LAN is 192.168.1.x, then the client must not be in the same subnet on its end.  This is likely to happen when the remote client is connected to another consumer router that defines the local LAN the same way the Orbi does (192.168.1.x).

 

I have been fortunate because I always test my OpenVPN connections by creating a Hot Spot on my smartphone and the smartphone defines its LAN as 192.168.43.x (why they picked 43 is an interesting question).

 

This would seem to have nothing to do with certificates.  Will need to do more research on that question.

Message 7 of 15
CrimpOn
Guru

Re: Orbi CBR 750 with OpenVPN for home setup?


@j4x4 wrote:

I keep getting warnings that state no certificate verification has been enabled. I installed OpenVPN 2.5.4 on my Windows 10 machine.

I saw other posts here that said it's automatic, but that has not been my experience so far.

Thanks again for any help you can offer.


The windows.zip file I downloaded from the Orbi contains these files:

  • client.ovpn - which contains the instructions to OpenVPN, including the names of the certificate and key files
  • ca.crt - which is the SSL certificate for the OpenVPN host
  • client.crt - which is the SSL certificate for the OpenVPN clent
  • client.key - which is a public key

Perhaps the issue is certificate verifacation. Looking at the smartphone ovpn file, I find this:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear CA/name=EasyRSA/emailAddress=mail@netgear
Validity
Not Before: Jul 13 19:33:02 2018 GMT
Not After : Jul 8 19:33:02 2038 GMT
Subject: C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=client/name=EasyRSA/emailAddress=mail@netgear

This leads me to believe that this is a self-signed SSL certificate.  OpenVPN may complain about this, but there is a world of difference between connecting to a web site that claims to be Bank of America and connecting to MY OWN ROUTER.

 

I just downloaded the latest OpenVPN version and will see what it says about my Orbi connection........ (more to come)

Message 8 of 15
j4x4
Aspirant

Re: Orbi CBR 750 with OpenVPN for home setup?

Thanks for getting back to me. I will stay tuned! Also wondering how you download files from your router ... or maybe I misunderstood what you wrote? Either way, thanks and looking forward to working with you to fix this problem.

Message 9 of 15
CrimpOn
Guru

Re: Orbi CBR 750 with OpenVPN for home setup?


@j4x4 wrote:

Thanks for getting back to me. I will stay tuned! Also wondering how you download files from your router ... or maybe I misunderstood what you wrote? Either way, thanks and looking forward to working with you to fix this problem.


On the Orbi web interface where OpenVPN is configured, there are three "click boxes" which are used to download the configuration files for Windows, for MacOS, and for Smartphone.  (See image attached)

Under those boxes are links that will bring up the instructions for setting up OpenVPN on each type of client.

 

Message 10 of 15
j4x4
Aspirant

Re: Orbi CBR 750 with OpenVPN for home setup?

Thank you, that is how I downloaded OpenVPN 2.5.4 last week. Netgear tech support walked me through the download and install, but we did not manage to get the certificate part handled. Still trying things out ... I am reading that EasyRSA-3 needs to be downloaded separately, but also found posts elsewhere that stated the whole certificate authentication setup should be automatic with 2.5.4 ... OpenVPN tech support was not able to help me out since this is not their cloud-based VPN service ... so frustrating.

Message 11 of 15
j4x4
Aspirant

Re: Orbi CBR 750 with OpenVPN for home setup?

... and now reading over another post you made, it seems like I am trying to do something impossible here. I want to install VPN on the router itself so that every device in the house is protected. But it seems like there is no VPN that works like that with the Orbi mesh routers.

 

If that is the case, what are my options? Or is this a bridge too far?

Message 12 of 15
CrimpOn
Guru

Re: Orbi CBR 750 with OpenVPN for home setup?


@j4x4 wrote:

... and now reading over another post you made, it seems like I am trying to do something impossible here. I want to install VPN on the router itself so that every device in the house is protected. But it seems like there is no VPN that works like that with the Orbi mesh routers.

 

If that is the case, what are my options? Or is this a bridge too far?


This is indeed the case.  No Netgear router supports OpenVPN "Client Mode" that creates a tunnel for every device inside the LAN to access the internet through the tunnel (and an external OpenVPN host, such as NordVPN).

 

There is third party firmware for the RBR50 model (only that specific model) which does support two VPN clients, OpenVPN and WireGuard.

http://www.voxel-firmware.com/Downloads/Voxel/html/orbi.html 

(This is just me, personally, but...) I am not convinced of the need to have every device in the house communicate through VPN (smart plugs? televisions? thermostats?)  With modern browsers fully committed to SSL connections, I am not certain that VPN's are all that necessary anymore.  The "bottom line" is that the stock firmware for Netgear's routers does not support VPN Client mode.

Message 13 of 15
CrimpOn
Guru

Re: Orbi CBR 750 with OpenVPN for home setup?

It appears this is something out of Shakespeare, "full of sound and fury. signifying nothing."

I just now used OpenVPN 2.5.4 on Windows 10 to connect to my Orbi (using a Hot Spot from my smartphone).

The connection worked perfectly.  I could access devices on the Orbi LAN, including the Orbi router itself.  The OpenVPN log file contained this warning:

 

2021-10-20 21:41:38 WARNING: Compression for receiving enabled.

Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.

2021-10-20 21:41:38 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC'

to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.

2021-10-20 21:41:39 WARNING: No server certificate verification method has been enabled.  See https://??????  for more info.

2021-10-20 21:41:51 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

 

Looking back through the OpenVPN log, this warning has appeared every time I have connected to my Orbi router using OpenVPN (going back months and months).

My guess is that Netgear could prevent this by updating OpenVPN to use a more modern encryption algorithm (AES-256-GCM)

 

I looked through the "Changes" notes on Voxel's firmware for the RBR50.  It looks like he has updated OpenVPN to more current versions and improved the encryption used, which would possibly eliminate that warning.  Does not apply to the RBR750, however.  "oh, well."

 

 

Message 14 of 15
Spoongooner
Guide

Re: Orbi CBR 750 with OpenVPN for home setup?

 

to fix the cipher AES-128-CBC error message on mine...

 

right click on openvpn icon on toolbar.. click on edit config

 

change this

cipher AES-128-CBC

 

to this

 

cipher AES-128-GCM

 

I dont know if that good or bad.. but my error went away

 

 

also i figured out.. if you open the client.opvl file in notepad..

its the same as editing config file

 

hopefully that help someone...

 

 

 

 

 

 

Message 15 of 15
Top Contributors
Discussion stats
  • 14 replies
  • 3132 views
  • 1 kudo
  • 5 in conversation
Announcements

Orbi WiFi 7