0

I had to generate new keys to use the latest version of OpenVPN client to connect to my Netgear R7000 router, as the stock ones used MD5 which is no longer supported.

I followed a guide to generate the new keys, producing a dh4096.pem cert, but since the router originally used a dh1024.pem cert, the guide simply instructs to rename dh4096.pem to dh1024.pem and overwrite the original file.

  • This works, but for both learning and OCD purposes, I would like to modify the server configuration to point to the new file keeping its real name dh4096.pem
    • I searched every file in the server's filesystem for 1024 in .conf files, .sh files, and everything readable containing vpn in its path, but with no luck.

I suspect that the OpenVPN executable looks for dh1024.pem by default and it's up to me to explicitly add a parameter indicating the new location or in this case the new name.

Where should I look?

BusyBox v1.7.2 (2017-06-15 22:36:14 CST) built-in shell (ash)
    
# /usr/local/sbin/openvpn --version
OpenVPN 2.3.1 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 15 2017
Improve this question
10
  • Don't use a dh4096.pem cert, as a 2048 cert is more than sufficient, just as an encryption cipher over AES128 isn't needed, serving only to slow throughput with no additional gains in security (AES128 will remain uncrackable until >2030). Usually, OpenVPN config files are contained within /etc/openvpn. (Just an FYI, you may want to consider flashing OpenWrt, an opensource router firmware, as your router is not only running 3yr old firmware, OpenVPN 2.4 introduced several improvements, including TLS EC cipher support, which is more efficient.)
    – JW0914
    Commented Sep 11, 2020 at 11:19
  • I considered switching to an open source firmware but from what I gathered reading online, the stock one performs better in terms of speed and stability. If anything, I would replace openvpn with a newer version (best case scenario: i cross-compile the 2.4 executable and everything else stays the same) but I'm still learning, that's too advanced for me right now
    – mfloris
    Commented Sep 11, 2020 at 11:56
  • You cannot compile a new version of any of the software in OEM firmware, as the firmware isn't opensource. There are several opensource firmware OSes [DD-WRT, OpenWrt, Tomato, etc.], w/ OpenWrt generally being the most stable, having the most packages & documentation. It's not advised to use OEM firmware on routers more than a yr old if the OEM hasn't supplied an updated image (OEMs consider routers EoL after 1 - 2yrs) and opensource firmware exists due to the hundreds of security patches the OEM firmware now lacks. For stability, see the OpenWrt Forum
    – JW0914
    Commented Sep 11, 2020 at 12:11
  • 1
    By modifying the dh line within OpenVPN's config file [openvpn.conf] (man page), which is usually contained within /etc/openvpn [above], however Netgear could have implemented the config in a variety of ways, including from a script that writes it to /tmp or /var, and if this is the case, you'll need to remodify it after every reboot. Example tuned server and client configs
    – JW0914
    Commented Sep 11, 2020 at 12:43
  • 1
    Ah, I didn't read the device wiki when posting the link. Not all drivers are made available in an opensource format, which is why I always recommend to folks that when buying a router to buy one that has opensource support; OEMs, if they release any firmware updates at all, will stop supporting a router within 1 - 2yrs, considering it EoL [End of Life]. There was a developer for DD-WRT that had previously created custom builds for Netgear devices (Kong I think, or something similar), something you may want to look into in a year or so.
    – JW0914
    Commented Sep 16, 2020 at 10:49

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .