NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

therealrbg's avatar
therealrbg
Aspirant
Mar 25, 2020
Solved

recreating VPN config files

We use the VPN feature on our Orbi at our office. Its a small office so we don't use commercial style routers. I need to refresh our config files so that employees who leave the company cannot get on...
  • CrimpOn's avatar
    CrimpOn
    Mar 25, 2020
    therealrbg wrote:

    What are the consequences of changing the tun/tap ports and what range is acceptable?

    Since the TUN and TAP ports are a field that can be configured, changing them should have no effect on anything, as long as the configuration files are changed to the same port numbers.  If someone tries OpenVPN with the old config files, it simply won't connect.  It will "error out".  Someone who is serious about hacking in will have to start searching for "which ports are open" at your IP address.  Eventually they will find it. 

     

    Actually, the IT guy has probably left you with a whole bunch of "things to change."

    • The admin password to the Orbi system.
    • The WiFi password to the Orbi WiFi.
    • The admin login to the DDNS service (No-IP.com or Dyn.com)
    • Passwords to any resources he tested with.
    • ???

    I have been struggling with "how to test without screwing up."

    • Changing the TAP and/or TUN ports is pretty easy.
      Just open the client.ovpn file and text edit the port change.
      Go into Orbi and make the same change.  "Apply"
      Import the new client.ovpn file into your laptop.
      Try to connect.
      (Meanwhile, everyone else is totally locked out and wondering what is going on.)
      If it "works", set the ports back and figure out how to communication the change to everyone.
    • I like the idea of scrambling the DDNS name (for everyone except the IT guy who knows your actual IP)
      Testing that would be the same steps except to text edit the DDNS name in the config file rather than the port number.
      What I have failed to find is whether you can have two DDNS entries point to the same IP address.  My guess is "no", but that's because I do not know HOW the DDNS company updates their database. If this IS possible, then I would simply create a new DDNS entry, test that it works, and then delete the old DDNS entry.
    • I like best of all changing the certs and key, but have no idea how to do that.
CrimpOn's avatar
CrimpOn
Guru - Experienced User
Mar 25, 2020

Just disabling and reenabling DDNS and VPN will not result in a "change."  I do this often.

 

The obvious things are to change:

  • The TUN and/or TAP port number.
  • The DDNS name.  Because this is a business, I imagine you are paying for DDNS (to guarantee that it doesn't suddenly disappear).
    Rather than use a "nice" DDNS name, pick something long and "unguessable".  i.e. rather than "PhillsInsurance.mynetgear.com", make it "Yz45P7abcBobbyGrph.mynetgear.com" (I don't know the maximum length possible.)

This, of course, is in addition to revoking login credentials on office systems and servers.

 

A "cooler" method would be to create new VPN certificates and keys, but I have no clue how that might be done.