Orbi WiFi 7 RBE973
Reply

Re: RBR850 Can't get VPN to work

RBR850 Can't get VPN to work

 

Hi - I am trying to get my Netgear Orbi RBR850 embedded OpenVPN up and running. I am running the OpenVPN GUI on a Windows 11 PC that will be running 24/7.

 

My RBR850 is running firmware v4.6.14.3_2.3.12

 

I am running OpenVPN GUI 11.43.0.0/2.6.5

 

Following the Netgear instructions, I have enabled the VPN support on my router, and downloaded the Orbi's generated OVPN config files, which I put into the OpenVPN config directory.

 

Here is the problem: When I run the Windows OpenVPN GUI and try to connect, I see a yellow icon instead of a green icon.

 

Trying to connect to my VPN using my Android phone always results in a timeout.

 

After starting the VPN connection in the GUI, the log files originally showed a "No server certificate verification method has been enabled" recurring error. After doing a little research, I found a (hopefully correct) solution to this issue by adding remote-cert-tls server to the end of my OVPN config file. I don't see the "No server certificate" error anymore in the logs.

 

However, I do see another error in the OpenVPN log that may be the reason for why I can't get it running. I also see the following error: DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305)

.

Additional information: I have my internet service through Verizon 5G Home Internet. As a result, my IP address changes frequently. To handle this, I have DDNS enabled on my Netgear Orbi. I have verified that the DDNS service is properly updating my DNS IP address. The Orbi's generated OVPN config file does have a remote xyz.ddns.net portnum line in it for supporting the DDNS address.

 

Can anybody help me get the Orbi VPN operational?

 

Thanks!

Message 1 of 10
FURRYe38
Guru

Re: RBR850 Can't get VPN to work

Might check into installing some Beta FW. 

https://www.surveymonkey.com/r/G32BGFF

 

Message 2 of 10

Re: RBR850 Can't get VPN to work

OK, I made a little (but only a very little) progress.

 

I figured out that I needed to connect to my Orbi outside of my LAN to test the VPN (this makes sense, it's probably the network equivalent of trying to look inside your head).

 

Anyways, when I tried connecting to my Orbi VPN with my Android cell phone using the cellular network, I was able to establish a connection to my Orbi VPN.

 

However, once the VPN link was established, it was INSANELY slow - like, slower than dial up speeds (1 kbps or slower).

 

Trying to do multiple speedtest.net tests, all failed due to time-outs.

 

What do I need to do to have my Orbi act as the gateway to the internet for my VPN connection from my phone?

Message 3 of 10
CrimpOn
Guru

Re: RBR850 Can't get VPN to work


@NG_LostMyAcct wrote:

What do I need to do to have my Orbi act as the gateway to the internet for my VPN connection from my phone?


Perhaps I misunderstand, but there appear to be two distinct issues:

  • Enabling OpenVPN Host on the RBR850 router.
  • Using the RBR850 as an internet gateway for a cell phone connection.

Each specific DDNS provider has a unique method of keeping their DDNS entries synchronized with changes in the public IP address of the host system. Netgear has programmed the Orbi to be compatible with only three DDNS providers:

These are the only DDNS providers that will remain synchronized.  The comment about xyz.ddns.net appears inconsistent with this basic situation.  (Perhaps I misunderstand.)

 

Yes, the only method to verify that OpenVPN is working is to connect to the Orbi through the internet.  My practice appears to be similar to yours:

  • Disconnect my cell phone from the Orbi WiFi network and use LTE data.
  • Enable OpenVPN on the cell phone (mine is Android) and verify that the connection opens correctly.  Open a web browser and verify that the Orbi router web interface opens at 192.168.1.1.  Use some other network tools to verify that the 192.168.1.x network is available.
  • On the Orbi web interface, verify that the cell phone appears as a "VPN" connection type (rather than wired or WiFi).
  • Shut off the cell phone OpenVPN.
  • Create a WiFi Hot Spot on the cell phone.
  • Connect the laptop to the Hot Spot.
  • Enable OpenVPN on the laptop and verify that it connects and functions correctly.

Netgear includes OpenVPN Host in routers to enable customers to access their home network when not at home.  Yes, there is an option to allow devices connected via VPN to "access the internet" and some customers make use of this feature. (Often to present the appearance of connecting to internet resources from their home location when they are not at that location.)  Although the VPN connection between cell phone (or laptop) and the Orbi is encrypted, the connection between Orbi and the internet is "whatever it is".  i.e., if you access a plain http web site, it is not encrypted.

 

Of course, every transmission has to go through a torturous pathway:

  • Laptop or cell phone through the internet to the Orbi.
  • Orbi out to the internet.
  • Internet back to the Orbi.
  • Orbi back through the internet to the cell phone or laptop.

I would prefer to get rid of all that and go directly that whatever internet resource I need.  If encryption is desired, install a commercial VPN on the cell phone or laptop and be done with it.

 

(That said, what I would do it not relevant.)

 

What it sounds like is:

  • You got OpenVPN working on the Orbi, and
  • Performance through the Verizon 5G Home Internet sucks when everything has go pass through four times.
Message 4 of 10

Re: RBR850 Can't get VPN to work

Hi, @CrimpOn - Thanks for replying back, this has been driving me nuts.

 

The pathway to access the internet through the Orbi VPN tunnel shouldn't be considered "tortuous", though a small amount of loss due to VPN protocol overhead is of course expected. The route you listed is exactly the same route that every commercial VPN provides, and typically I see 5% or less bandwidth loss with the commercial VPNs that I have used in the past. I have a 300+ Mbps down / 20+ Mbps up ISP, but when I have the Orbi configured to act as an Internet access VPN, my bandwidth drops to single-digit kbps rates (more likely, 0.00 kbps). Obviously, this is not operating properly.

 

However, my Android OpenVPN Connect app does show an assigned IP address within the LAN network's IP range, so something is working right. I am also able to ping my LAN's gateway IP address fine.


Since the Orbi VPN is supposed to allow communication to my home LAN (as a minimum), I tried the following experiment: With the VPN disabled and my phone on the LAN via WiFi, I was able to transfer files from my NAS to my phone via SMB at a 280 Mbps data rate. But, when I tried to connect to the NAS when the Orbi VPN was enabled on my phone, my phone failed to login to the NAS - again, indicating that the Orbi VPN isn't working as advertised. 

Message 5 of 10
F_V
Luminary
Luminary

Re: RBR850 Can't get VPN to work

I'm sure you've already thought of this, however in case not I wanted to point out something.  While you have a 300/20 connection, when you are connected to your home network via VPN, remember that the only bandwidth you are going to be able to take advantage of is the 20 upload speed, as even though you are on your phone downloading, your home network is actually uploading data to you.  What upload speeds do you actually see on your LAN during a speed test?

 

I've never used the Orbi as a VPN server, instead opting to use pfSense for all those services.  If you like to tinker a pfSense firewall on the WAN side of your Orbi is a lot of fun to play with.

 

 

Message 6 of 10

Re: RBR850 Can't get VPN to work

Hi, @F_V - I hadn't thought of that, and it's an excellent point! It also answers a mystery that I had, which I'll get to in just a second.

 

Almost every time I have successfully connected to my Orbi's VPN over the cellular network, I have seen single digit kbps data rates for both upload and download speed, like 2-3 kbps. I have seen these painfully slow "dial-up" rates both when using my VPN-connected cell phone as a hot spot for my PC, and when browsing on the cell phone itself.

 

Thinking that the devices on the Orbi VPN might have problems with connecting to the Orbi gateway, I added the route-gateway <OrbiGatewayIpAddr> setting to my OVPN file.

 

Adding that setting seemed to make a difference ... but only once. I used the phrase "Almost every time" because there was one single instance where my home PC connected to my VPN'd cell phone hotspot got 20 Mbps up and 20 Mbps down. I couldn't figure out why I was seeing the 20 Mbps download speed that one time, and you solved that mystery for me!

 

Now, if only I could figure out how to get the Orbi VPN to actually work reliably!

Message 7 of 10
F_V
Luminary
Luminary

Re: RBR850 Can't get VPN to work

Maybe add 'verb 5' to your .ovpn and look at the logfile output to see if some setting is unhappy during negotiation with your Orbi.  You could also put your .ovpn on a computer, download the OpenVPN client, and see if you have better results from there.  If you do that you'll want to make sure your computer is outside your network VPNing back into it, not from inside the network as that won't tell you much (or you might not even be able to connect at all).

 

Message 8 of 10

Re: RBR850 Can't get VPN to work

@F_V - I modified the verb setting to verb 5, and ran the updated OVPN on my PC.

 

I did see something interesting in the log files after the connection was established. I saw a number of AEAD Decrypt error: bad packet ID errors cropping up amongst the cornucopia of "Wr"s (Write/reads?). Further investigation showed that error could be related the UDP MTU size.

 

But before modifying the adapter MTU sizes, I decided to try switching the Orbi VPN from UDP to TCP. Interestingly, the connection did seem to operate better and connect to the internet through the Orbi VPN. However, the data rates were really slow (4 Mbps down, 2 Mbps up). I am not sure why the TCP rates were so slow, so I switched back to UDP..

 

The UDP connection was still hard to establish, so I started dropping the MTU values on my Windows TAP-V9 (NETGEAR-VPN) network adapter. When I got around 1400, I was able to get the UDP connection to work better with 20 Mbps down / 20 Mbps up data rates, but the connection was still not reliable. I could only get good data rates about 25% of the time.

 

So, things are better ... but still not reliable.

Message 9 of 10
CrimpOn
Guru

Re: RBR850 Can't get VPN to work


@NG_LostMyAcct wrote:

I decided to try switching the Orbi VPN from UDP to TCP. Interestingly, the connection did seem to operate better and connect to the internet through the Orbi VPN. However, the data rates were really slow (4 Mbps down, 2 Mbps up). I am not sure why the TCP rates were so slow, so I switched back to UDP..


This is well-known difference between TCP and UD. Search for TCP vs. UDP::

https://www.avast.com/c-tcp-vs-udp-difference#:~:text=The%20main%20difference%20between%20TCP,reliab... 

 

With UDP, packets just get "sent" and the sending device has no confirmation that they were received.  When networks are nearly perfect, almost every packet "gets there" and the confirmation provided by TCP is of no value.  Thus, when performance is key, UDP is often the correct choice.

 

That 20Mbps "up" pipe appears to be a real kill joy as it restricts speed in two of the four journeys.  (My ISP provides 11Mbps "up", so I have even less incentive to consider using the VPN tunnel to  access anything outside my local LAN.)

 

Message 10 of 10
Discussion stats
  • 9 replies
  • 2432 views
  • 0 kudos
  • 4 in conversation
Announcements

Orbi 770 Series