×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

Re: recreating VPN config files

therealrbg
Aspirant

recreating VPN config files

We use the VPN feature on our Orbi at our office. Its a small office so we don't use commercial style routers. I need to refresh our config files so that employees who leave the company cannot get on the network. However, I see no way of doing this. Do I just dissable and enable to VPN? Or is there some other step I need to take. 

 

 

Model: RBR20|Orbi AC2200 Tri-band WiFi Router
Message 1 of 6

Accepted Solutions
CrimpOn
Guru

Re: recreating VPN config files


@therealrbg wrote:

What are the consequences of changing the tun/tap ports and what range is acceptable?


Since the TUN and TAP ports are a field that can be configured, changing them should have no effect on anything, as long as the configuration files are changed to the same port numbers.  If someone tries OpenVPN with the old config files, it simply won't connect.  It will "error out".  Someone who is serious about hacking in will have to start searching for "which ports are open" at your IP address.  Eventually they will find it. 

 

Actually, the IT guy has probably left you with a whole bunch of "things to change."

  • The admin password to the Orbi system.
  • The WiFi password to the Orbi WiFi.
  • The admin login to the DDNS service (No-IP.com or Dyn.com)
  • Passwords to any resources he tested with.
  • ???

I have been struggling with "how to test without screwing up."

  • Changing the TAP and/or TUN ports is pretty easy.
    Just open the client.ovpn file and text edit the port change.
    Go into Orbi and make the same change.  "Apply"
    Import the new client.ovpn file into your laptop.
    Try to connect.
    (Meanwhile, everyone else is totally locked out and wondering what is going on.)
    If it "works", set the ports back and figure out how to communication the change to everyone.
  • I like the idea of scrambling the DDNS name (for everyone except the IT guy who knows your actual IP)
    Testing that would be the same steps except to text edit the DDNS name in the config file rather than the port number.
    What I have failed to find is whether you can have two DDNS entries point to the same IP address.  My guess is "no", but that's because I do not know HOW the DDNS company updates their database. If this IS possible, then I would simply create a new DDNS entry, test that it works, and then delete the old DDNS entry.
  • I like best of all changing the certs and key, but have no idea how to do that.

View solution in original post

Message 5 of 6

All Replies
CrimpOn
Guru

Re: recreating VPN config files

Just disabling and reenabling DDNS and VPN will not result in a "change."  I do this often.

 

The obvious things are to change:

  • The TUN and/or TAP port number.
  • The DDNS name.  Because this is a business, I imagine you are paying for DDNS (to guarantee that it doesn't suddenly disappear).
    Rather than use a "nice" DDNS name, pick something long and "unguessable".  i.e. rather than "PhillsInsurance.mynetgear.com", make it "Yz45P7abcBobbyGrph.mynetgear.com" (I don't know the maximum length possible.)

This, of course, is in addition to revoking login credentials on office systems and servers.

 

A "cooler" method would be to create new VPN certificates and keys, but I have no clue how that might be done.

Message 2 of 6
CrimpOn
Guru

Re: recreating VPN config files

It would be a fun experiment to try changing the DDNS name and see if that forces a new certificate or key.

My guess is, "no" because the DDNS and port information are separate from the certificate and key, and also because DDNS is only for our convenience.  A person could VPN dirctly to the public IP address of the Orbi.

 

This is also a sort of awkward time to be fooling around with VPN when so many people are working remotely.

Message 3 of 6
therealrbg
Aspirant

Re: recreating VPN config files

Thank you for the help. The timing is actually very related. We had all our employees start working remotely a 2 weeks ago. Then we quickly found out our existing VPN solution was not going to work at even our tiny scale. So we had an freelance IT guy come in and help us setup openVPN. The issue is he has copies of all the config files. While I am sure he doesn't care, we are trying to do things right and make sure to plug all the holes. 

 

What are the consequences of changine the tun/tap ports and what range is acceptable?

Message 4 of 6
CrimpOn
Guru

Re: recreating VPN config files


@therealrbg wrote:

What are the consequences of changing the tun/tap ports and what range is acceptable?


Since the TUN and TAP ports are a field that can be configured, changing them should have no effect on anything, as long as the configuration files are changed to the same port numbers.  If someone tries OpenVPN with the old config files, it simply won't connect.  It will "error out".  Someone who is serious about hacking in will have to start searching for "which ports are open" at your IP address.  Eventually they will find it. 

 

Actually, the IT guy has probably left you with a whole bunch of "things to change."

  • The admin password to the Orbi system.
  • The WiFi password to the Orbi WiFi.
  • The admin login to the DDNS service (No-IP.com or Dyn.com)
  • Passwords to any resources he tested with.
  • ???

I have been struggling with "how to test without screwing up."

  • Changing the TAP and/or TUN ports is pretty easy.
    Just open the client.ovpn file and text edit the port change.
    Go into Orbi and make the same change.  "Apply"
    Import the new client.ovpn file into your laptop.
    Try to connect.
    (Meanwhile, everyone else is totally locked out and wondering what is going on.)
    If it "works", set the ports back and figure out how to communication the change to everyone.
  • I like the idea of scrambling the DDNS name (for everyone except the IT guy who knows your actual IP)
    Testing that would be the same steps except to text edit the DDNS name in the config file rather than the port number.
    What I have failed to find is whether you can have two DDNS entries point to the same IP address.  My guess is "no", but that's because I do not know HOW the DDNS company updates their database. If this IS possible, then I would simply create a new DDNS entry, test that it works, and then delete the old DDNS entry.
  • I like best of all changing the certs and key, but have no idea how to do that.
Message 5 of 6
CrimpOn
Guru

Re: recreating VPN config files

Voxel, who has created a more efficient version of Orbi firmware, reminded me that he had already told me how to generate new certs for the Orbi OpenVPN:

 

a. Stop your OpenVPN servers
b. Enter to telnet/ssh console
c. run the command

        /etc/init.d/openvpn regenerate_cert_file

d. reboot your RBR​

 

So, no need to monkey around with DDNS or TUN/TAP ports.  Regenerate the certs, download the new client config files and distribute them to users.

 

If I were at all sophisticated, I probably could have found this command in the OpenVPN web site documentation.  (Fortunately, Voxel is too kind to point that out.)

Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 1783 views
  • 1 kudo
  • 2 in conversation
Announcements

Orbi WiFi 7