VPN Service

21 posts / 0 new
Last post
dragonworks
dragonworks's picture
VPN Service

I'm trying to connect to my home network using the VPN server on the router but haven't been able to get it working. If anyone can help I really appreciate it!

I've installed Voxel's latest firmware (1.0.2.47SF) and enabled the VPN service. I install the latest version of OpenVPN for Windows on a laptop and downloaded the Windows OpenVPN config files from the router.

When I try connect I get this message:

Tue Mar 13 16:02:11 2018 OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Tue Mar 13 16:02:11 2018 Cannot load certificate file C:\PROGRA~1\OpenVPN\config\client.crt
Here's my client.ovpn file. I've tried with and without the full paths for the files.
client
dev tap
proto udp
;dev-node NETGEAR-VPN
remote MYIPADDRESS  12974
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ca C:\\PROGRA~1\\OpenVPN\\config\\ca.crt
cert C:\\PROGRA~1\\OpenVPN\\config\\client.crt
key C:\\PROGRA~1\\OpenVPN\\config\\client.key
cipher AES-128-GCM
;comp-lzo
compress lz4-v2
verb 0
sndbuf 393216
rcvbuf 393216
Regards
Michael

 

Voxel
Voxel's picture
Well, these cert files are

Well, these cert files are kept in nand memory of router, and probably you have them very long time, since there was OpenSSL 0.9.8. Try to:

1. Use more fresh version of my build 1.0.2.49SF

2. Enable telnet and run the following command from telnet:

/etc/init.d/openvpn stop

/etc/init.d/openvpn regenerate_cert_file

after this reboot your router.

Voxel.

Voxel
Voxel's picture
And download windows.zip

And download windows.zip again of course.

Voxel.

edmartin54
edmartin54's picture
OpenVPN ver 2.4.5 does not

OpenVPN ver 2.4.5 does not allow the use of md5 certificates as those have been proven to be too weak security-wise.  I'm running the latest Voxel (49) and still get that error with 2.4.5 client.  I had to downgrade back to OpenVPN 2.4.4 until the server creates SHA certs.

edmartin54
edmartin54's picture
As usual, I got ahead of

As usual, I got ahead of myself again :).  I did not read your replies Voxel and am trying that out now.  I've used telnet to recreate the certs and rebooted my router.  Upgraded my OpenVPN client to 2.4.5 again and testing now.

edmartin54
edmartin54's picture
Voxel's telnet script worked

Voxel's telnet script worked like a charm!  Thanks, V!

edmartin54
edmartin54's picture
Will I have to run the telnet

Will I have to run the telnet script every time I update to the next version of your firmware?

Voxel
Voxel's picture
Will I have to run the telnet

Will I have to run the telnet script every time I update to the next version of your firmware?

 

No. It is kept in nand memory. Is not touched when you flash firmware. So even if you will flash stock fw, your regenerated keys should be kept. 

Voxel

Rushboy
Rushboy's picture
Hi I really need you guys

Hi I really need you guys help my problem is I want to setup up PIA VPN but I can't seem to make it work I have created fold name openvpn-client on my usb oh and my vpn unlimited works with no problems as they only have one ovpn file but Pia have 2 files 1 ca and 1 server I don't know how to make the files one and where to put my details 

I have read the readme file and do research but still can't make it work hence am asking for your help thanks in advance

Voxel
Voxel's picture
I do not quite understand

I do not quite understand your problem. If you have several files related to OpenVPN client configuration (such as CA) you should copy all of them to your USB into this folder..

Voxel.

Rushboy
Rushboy's picture
So I just have to copy the CA

So I just have to copy the CA and server file then I don't have to change anything in the file to input my username and password as VPN unlimited there's no password but only one ovpn file with everything I need but pia have password so how would I go about inputing the username and password that is where am stock sorry for my English not my first language thanks

Voxel
Voxel's picture
Check this article:

Check this article:
 

https://www.myopenrouter.com/article/how-set-openvpn-client-netgear-r900...

it is for R9000, but the same is for R7800. It is how to use username/password. 

Voxel.

Rushboy
Rushboy's picture
Voxel thanks for your reply

Voxel thanks for your reply but am still stock this is how i have change the file 

client
dev tun
proto udp
remote uk-southampton.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/config/client/auth.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ
 
and then i have created a note text file with my user and password named auth.text as you can see the ca file is in different file and then i have copy all three file and put it in fold name openvpn-client but it still nothing happen 
 
this is the ca file called  ca ca.rsa.2048.crt 
 
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
 
thanks for any advice 

 

Voxel
Voxel's picture
You should also have the file

You should also have the file crl.rsa.2048.pem
 

verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
 
Did not you miss it?
Voxel.
Rushboy
Rushboy's picture
lol its working now i dont

lol its working now i dont know what to say it looks very easy and i have been stocking there for 4 days and you just show me the problem it start working straight away when i have put the 4th file that you say 

i have try ddwrt kong but no transmission on it and that is when i saw your build great work you have done there thanks

roc342
roc342's picture
Anybody get this error 

Anybody get this error 

Enter Management Password:
Enter Management Password:
 
roc342
roc342's picture
I was able the overcome the

I was able the overcome the MD cert too weak error by clean-all and making new certs but now I get the above

roc342
roc342's picture
Fixed It, Had to do a clean

Fixed It, Had to do a clean wpe of the client on my system.  issue was fixed 

edmartin54
edmartin54's picture
I've had to move my R7800

I've had to move my R7800 router behind an AT&T Pace 5268AC gateway.  I've opened up the applicable ports and everything works great when connecting from my laptop.  However, when connecting from my Android phone (which used to work perfectly), it now sets the third octet of my ip address to one digit off, which prevents me from browsing my network devices when away from home.  Anyone have any idea why it's suddenly doing this?

Thanks!

e38BimmerFN
e38BimmerFN's picture
If your modem can't be

If your modem can't be bridged which would be recommended, then use the modems DMZ for the R7800.

edmartin54
edmartin54's picture
Don't want to use DMZ+ on the

Don't want to use DMZ+ on the AT&T gateway.  As I said, it is working perfectly for my laptop and my android phone connects, just does not have the proper IP address.