× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
× Introducing the new Orbi 770 Series Mesh System. To learn more click here.
Orbi WiFi 7 RBE973
Reply

Re: R6220 VPN

Inetwl
Aspirant

R6220 VPN

I am trying to use OPENVPN with my Netgear router. There is no OpenVPN server between the router and the client.


The Netgear router generates a .zip file that contains files to use in the OpenVPN Connect Client. However, the ca.crt does not seem to have been generated using a secure hash algorithm. The details on the cert files indicate that the router generates them with an md5 hash or an md5RSA hash.


The error message from the OpenVPN Connect Client is
SSL_CA_MD_TOO_WEAK OpenSSLContext: SSLXTX_use_certificate failed: error 140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak.


I worked with the OpenVPN easyRSA to generate other certs based on the ones that came from the router, but none of them have worked. If anyone has come up with a solution that will allow the router to generate a VPN set of files for use with OpenVPN Client Connect, (or that can be modified to work with same) I would appreciate it.

 

The alternative is whether files that are generated elsewhere (i.e., with OpenVPN EasyRSA) will be recognized by the Netgear router.

 

Thanks,

Message 1 of 6

Accepted Solutions
Inetwl
Aspirant

Re: R6220 VPN

I am getting responses from OpenVPN, but the client (at first) did not fully connect more than once.

  • I upgraded the router to version V1.1.0.114_1.0.1, and downloaded new VPN files.
  • I also removed OpenVPN and OpenVPN Connect Client from the client device and did a clean install of OpenVPN 2.5.8.
  • I added "float" and "allow-recursive-routing" to the client.ovpn file, to improve connection and decrease duplicate packets.

That worked consistently, so of course I experimented with it.

 

I discovered:

  • proto tcp works, but proto tcp4 does not.
  • The dev-node name can be changed from NETGEAR-VPN to something different, like ClientVPN. As long as both the router and the TAP-Windows adapter names match, it works.
  • I changed the name of the 4 client files that were generated by the router to names that are meaningful to my network, and that worked also.

 

Now, the only thing that I have not yet tried is to generate certificates that match my home computers. If it doesn't work, I'll use the certificates that were generated by the R6220 router.

 

Thanks for your help.

View solution in original post

Message 5 of 6

All Replies
Kitsap
Master

Re: R6220 VPN


@Inetwl wrote:

I am trying to use OPENVPN with my Netgear router. There is no OpenVPN server between the router and the client.


The Netgear router generates a .zip file that contains files to use in the OpenVPN Connect Client. However, the ca.crt does not seem to have been generated using a secure hash algorithm. The details on the cert files indicate that the router generates them with an md5 hash or an md5RSA hash.


The error message from the OpenVPN Connect Client is
SSL_CA_MD_TOO_WEAK OpenSSLContext: SSLXTX_use_certificate failed: error 140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak.


I worked with the OpenVPN easyRSA to generate other certs based on the ones that came from the router, but none of them have worked. If anyone has come up with a solution that will allow the router to generate a VPN set of files for use with OpenVPN Client Connect, (or that can be modified to work with same) I would appreciate it.

 

The alternative is whether files that are generated elsewhere (i.e., with OpenVPN EasyRSA) will be recognized by the Netgear router.

 

Thanks,


What version of firmware are you running on your R6220?  The latest is not an answer.  The version number is needed for confirmation.

 

What version of Open VPN Connect are you running on your client?  What type of device are your running it on?  Windows, iOS, Android?

 

When you enable the Open VPN server on your router, you should select the configuration for all access to the internet and home network. 

 

Have you configured a Dynamic Domain Name Server service?

 

Whatever changes you make to your router configuration have to be made prior to generation of the configuration package for your client.

 

Message 2 of 6
Inetwl
Aspirant

Re: R6220 VPN

The answers to your questions are:

> Router Firmware Version V1.1.0.50_1.0.1

> Open VPN Connect version 3.3.6 (2752) on Windows 10

> Configuration was Auto - I changed it to all access to the internet and home network. No difference in the files that are generated. They still say md5 hash.

> I configured a Dynamic Domain Name Server service.

 

If I use the EasyRSA files that are associated with OpenVPN, I may have more control over which hash algorithm is present in the CA signature. so far, it seems the only inconsistency between the two products is the hash algorithm. The OpenVPN default, which is configurable, is sha256.

Message 3 of 6
Kitsap
Master

Re: R6220 VPN


@Inetwl wrote:

The answers to your questions are:

> Router Firmware Version V1.1.0.50_1.0.1

> Open VPN Connect version 3.3.6 (2752) on Windows 10

> Configuration was Auto - I changed it to all access to the internet and home network. No difference in the files that are generated. They still say md5 hash.

> I configured a Dynamic Domain Name Server service.

 

If I use the EasyRSA files that are associated with OpenVPN, I may have more control over which hash algorithm is present in the CA signature. so far, it seems the only inconsistency between the two products is the hash algorithm. The OpenVPN default, which is configurable, is sha256.


It appears your router firmware is several versions out of date.  Recommend you manually update the firmware on your router.  Avoid mobile devices and connecting to your router via Wi-Fi to perform the updates.  Use a web browser on a real computer connected to the router with an Ethernet cable.  You may not be able to skip over all of the versions in one update.  If not, try skipping two or three at a time.

 

https://kb.netgear.com/23960/How-do-I-manually-update-the-firmware-on-my-NETGEAR-router

 

The only success I have had with Open VPN on Windows is to use the Open VPN application available here:

https://openvpn.net/community-downloads/

 

For mobile devices, use the Open VPN application from the play store.

 

On the router, all VPN configurations do not work equally.  Recommend using the TCP mode and selecting all sites on the internet & home network options.

 

What is the internet source you connect to upstream of your router?  A modem/gateway/ONT?

 

 

 

Message 4 of 6
Inetwl
Aspirant

Re: R6220 VPN

I am getting responses from OpenVPN, but the client (at first) did not fully connect more than once.

  • I upgraded the router to version V1.1.0.114_1.0.1, and downloaded new VPN files.
  • I also removed OpenVPN and OpenVPN Connect Client from the client device and did a clean install of OpenVPN 2.5.8.
  • I added "float" and "allow-recursive-routing" to the client.ovpn file, to improve connection and decrease duplicate packets.

That worked consistently, so of course I experimented with it.

 

I discovered:

  • proto tcp works, but proto tcp4 does not.
  • The dev-node name can be changed from NETGEAR-VPN to something different, like ClientVPN. As long as both the router and the TAP-Windows adapter names match, it works.
  • I changed the name of the 4 client files that were generated by the router to names that are meaningful to my network, and that worked also.

 

Now, the only thing that I have not yet tried is to generate certificates that match my home computers. If it doesn't work, I'll use the certificates that were generated by the R6220 router.

 

Thanks for your help.

Message 5 of 6
Kitsap
Master

Re: R6220 VPN


@Inetwl wrote:

I am getting responses from OpenVPN, but the client (at first) did not fully connect more than once.

  • I upgraded the router to version V1.1.0.114_1.0.1, and downloaded new VPN files.
  • I also removed OpenVPN and OpenVPN Connect Client from the client device and did a clean install of OpenVPN 2.5.8.
  • I added "float" and "allow-recursive-routing" to the client.ovpn file, to improve connection and decrease duplicate packets.

That worked consistently, so of course I experimented with it.

 

I discovered:

  • proto tcp works, but proto tcp4 does not.
  • The dev-node name can be changed from NETGEAR-VPN to something different, like ClientVPN. As long as both the router and the TAP-Windows adapter names match, it works.
  • I changed the name of the 4 client files that were generated by the router to names that are meaningful to my network, and that worked also.

 

Now, the only thing that I have not yet tried is to generate certificates that match my home computers. If it doesn't work, I'll use the certificates that were generated by the R6220 router.

 

Thanks for your help.


Outstanding information. 😊

 

In case you did not notice, OpenVPN client version 2.6.0 was released a couple of days ago.

 

Good luck with your certificate endeavor.  I tried a couple of times but was not successful.

 

Suggest you mark this thread as resolved.

 

 

 

 

Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 2409 views
  • 1 kudo
  • 2 in conversation
Announcements

Orbi 770 Series