Custom firmware build for R7800 v. 1.0.2.23SF & v. 1.0.2.24SF

[pege63]

So far so good, thanks m8!

 

[Csection]

This firmware is really great!
I am currently on 23SF, but I think I will wait to upgrade to 24SF since 23 is working very well for me.
I have a lot of stuff set up in "Access Control" and I always do a reset to factory after I upgrade(This seems to make the install "Cleaner".
I am just a little Leary about reloading from a backup cause all the guys in the RMerlin thread advise against it on the Asus(Which I use as a bridge on RT-3100.). It does seem to work ok on the R7800 so far, but I am just a worrier. So I try to be as careful as I can.

Voxel is great! He has held my hand in setting up SSH access and I can't express my gratitude enough!

My Linux knowledge is limited. So I need to be coached like a kid learning to play football.

If I can. I will try to put together a guide on how to do this. Something like, "Voxel's firmware for dummies" or similar.
Using only Windows makes it a lot harder to do, but it can be done thanks to Voxel's patients and willingness to help.

 

[staticfree]

I created fix version 1.0.2.24SF. Please check it with your Android and default key/crt. Should be OK now.

https://www.mediafire.com/folder/tyj61i5uc610w/voxel-firmware

Voxel.

Okay Voxel, I will load your new 24SF probably tonight when I can get some down time. I am still worried about Netgear not fixing their terrible openvpn certificate and key generation though. From what I can see in their firmware implementation, they have the certificates and keys all embedded in their firmware and when you reboot or restart their openvpn, it just extracts the configs from their firmware into a .tar file and then untars their hard coded config keys into place in the /tmp/openvpn directory. If those keys are not generated uniquely each time the Netgear router starts openvpn, then it seems to me that everyone with this Netgear R7800 router will have the same exact configs, certificates and keys!
I can't believe Netgear management is not concerned about this security exposure enough to fix it. All these years it has been like this. Most casual users won't be aware of this exposure when they enable their openvpn. Wow!

 

[Voxel]

This firmware is really great!
I am just a little Leary about reloading from a backup cause all the guys in the RMerlin thread advise against it on the Asus(Which I use as a bridge on RT-3100.). It does seem to work ok on the R7800 so far, but I am just a worrier. So I try to be as careful as I can.

You can restore your settings from backup. No problems if you upgrade from my 1.0.2.23SF to my 1.0.2.24SF.

Voxel.

 

[Voxel]

Okay Voxel, I will load your new 24SF probably tonight when I can get some down time. I am still worried about Netgear not fixing their terrible openvpn certificate and key generation though. From what I can see in their firmware implementation, they have the certificates and keys all embedded in their firmware and when you reboot or restart their openvpn, it just extracts the configs from their firmware into a .tar file and then untars their hard coded config keys into place in the /tmp/openvpn directory. If those keys are not generated uniquely each time the Netgear router starts openvpn, then it seems to me that everyone with this Netgear R7800 router will have the same exact configs, certificates and keys!
I can't believe Netgear management is not concerned about this security exposure enough to fix it. All these years it has been like this. Most casual users won't be aware of this exposure when they enable their openvpn. Wow!

IMO it is not so dangerous to use generated by firmware keys/ca/certs. I did not investigate this in deep, but logically if you do not share such generated CA, then it cannot not be used by third party to sign their client cert/keys. And your VPN will not accept alien clients.

(But I’m using my own Paranoia )

Voxel.

 

[staticfree]

IMO it is not so dangerous to use generated by firmware keys/ca/certs. I did not investigate this in deep, but logically if you do not share such generated CA, then it cannot not be used by third party to sign their client cert/keys. And your VPN will not accept alien clients.

(But I’m using my own Paranoia )

Voxel.

Okay, better safe than sorry. I'm not sure how exactly that Netgear CA is generated or working for sure but it looks like the CA file is hard coded in their firmware and if so, it will be exactly the same CA for everybody who uses it. No? Anyway, I hope you are right on that. Regardless, Thanks for your great work!

 

[staticfree]

IMO it is not so dangerous to use generated by firmware keys/ca/certs. I did not investigate this in deep, but logically if you do not share such generated CA, then it cannot not be used by third party to sign their client cert/keys. And your VPN will not accept alien clients.

(But I’m using my own Paranoia )

Voxel.

Voxel, okay, I loaded the new 24SF firmware tonight and it is working just fine now. Netgear openvpn is working again with its own certificate keys.
I see now in their script that there is a re-generate CA, keys and certificates routine that I suppose will make each Netgear router CA unique. But I am not for sure either on it. But the fact that each router generates the same CA and keys over and over again is still a concern for distributed client keys on devices that you might want to revoke but can't using Netgears openvpn. Generating new CA, dh and keys and stuff is difficult and beyond most folks to do and install!

 

[Voxel]

Voxel, okay, I loaded the new 24SF firmware tonight and it is working just fine now. Netgear openvpn is working again with its own certificate keys.
I see now in their script that there is a re-generate CA, keys and certificates routine that I suppose will make each Netgear router CA unique. But I am not for sure either on it. But the fact that each router generates the same CA and keys over and over again is still a concern for distributed client keys on devices that you might want to revoke but can't using Netgears openvpn. Generating new CA, dh and keys and stuff is difficult and beyond most folks to do and install!

You know, if there are any doubts, how do you say: "better safe than sorry". I added possibility of using own keys/certs. I use my own to do not think about it: just set up and forget.

OK, Now everything is OK with OpenVPN. I'll update my initial post in this thread: not so many changes to start new thread.

Voxel.

 

[staticfree]

You know, if there are any doubts, how do you say: "better safe than sorry". I added possibility of using own keys/certs. I use my own to do not think about it: just set up and forget.

OK, Now everything is OK with OpenVPN. I'll update my initial post in this thread: not so many changes to start new thread.

Voxel.

Okay, sounds good. Your customized firmware is working solid for me now. I don't use all the extra fancy stuff like traffic metering, QOS or anything, so I can't speak to that area. But for my basic reliability internet and LAN connections use, it is solid. I also like that I can just load and use the same exact configuration files from the original Netgear v1.0.2.20 firmware without any resetting or wipes. It just works. Thank You!

 

[kaffedax]

Hello Voxel or any other expert,

Is this as easy 2 install as kong/dd-wrt, just reset settings and upgrade in gui etc? Can't find a guide..

I'm back on stock now from dd-wrt.. is it just to upgrade in netgear gui with R7800-V1.0.2.24SF.img from netgear stock? How do I rewert 2 stock?

Can I use openvpn/client in router after upgrade?

Cheers

 

[pege63]

Flash like a STOCK FW easy as that
Rewert to STOCK by using NG own FW just like that.
No need to reset, but i do it anyway.

 

[Voxel]

pege63 thanks for your help.

Can I use openvpn/client in router after upgrade?

OpenVPN server is available in this firmware. The same as in stock (+some new advantages from OpenVPN v. 2.4.0 such as lz4 compression).

Voxel.

 

[pege63]

Voxel dont forget the full power of the CPU and FPU of the IPQ806x processor, that STOCK does NOT have

 

[deadbeef]

I know this had been asked several times over, but I'm still struggling to understand whether it is possible to configure the router as a VPN client via the console (not via the web page), or are the closed-source Netgear binaries a limitation there as well?

 

[Voxel]

I know this had been asked several times over, but I'm still struggling to understand whether it is possible to configure the router as a VPN client via the console (not via the web page), or are the closed-source Netgear binaries a limitation there as well?

Most probably it is possible. I did not investigate this in deep. If you need also to setup your iptables rules then the only problem is Netgear's firewall (/usr/sbin/net-wall, no source codes) which spoils all iptables settings. I did some modification of /usr/sbin/net-wall, now it is script which sets also my settings and runs original precompiled net-wall (I renamed it as net-wall-bin). So you should modify this my script adding your rules for client after call of Netgear's firewall. See for example how kyle55555 did modification of this script adding TUN OpenVPN to R7500v1:

https://www.snbforums.com/threads/custom-firmware-build-for-r7800.36859/page-3

It is not your case, but explains how to modify /usr/sbin/net-wall script for own needs.

Check from console: run manually openvpn as a client to connect to OpenVPN server you plan to use. Not necessary to install Entware for this.

Voxel.

 

[Voxel]

For those who use Entware:

New version of Entware-3x (my build optimized for IPQ806x) is available to download:

https://www.mediafire.com/folder/tyj61i5uc610w/voxel-firmware

Build 170221.

What’s new:
1. Synchronized with LEDE and OpenWRT.
2. New toolchain is used with GCC 6.3.0 and glibc 2.25.

In my build:
1. Optimized for IPQ806x (compiler options).
2. Kernel 3.4.103 is used in compilation.
3. Few packages are upgraded to more recent versions.
4. OpenSSL asm acceleration is used.
5. OpenVPN is compiled with use of external LZ4 library v.1.7.5 (the last is added to packages)

Voxel.

 

[majeedun]

Thank you Voxel for this firmware. I switched form Netgear stock primarily for the added security (disable ping from WAN and dnscrypt), these are working nicely on latest V1.0.2.24SF.
Lets see if I get less DoS attacks and Scans.

 

[majeedun]

I'm trying to figure out how to use Transmission instead of Netgear Manager. I followed the steps in readme.docx from Voxel Mediafire space.

I have a 2 TB HDD that is formatted as NTFS. I don't think I can create a swap file in root of drive and expect it to work. So I attached a 8 GB USB stick formatted as ext4 and created a 1GB swap file in it. Still can't get Transmission to work, it shows me a blank page in GUI with a small sad face diagram and "routerlogin.net is not responding" underneath.

Any help is appreciated

 

[Voxel]

I'm trying to figure out how to use Transmission instead of Netgear Manager. I followed the steps in readme.docx from Voxel Mediafire space.

I have a 2 TB HDD that is formatted as NTFS. I don't think I can create a swap file in root of drive and expect it to work. So I attached a 8 GB USB stick formatted as ext4 and created a 1GB swap file in it. Still can't get Transmission to work, it shows me a blank page in GUI with a small sad face diagram and "routerlogin.net is not responding" underneath.

Any help is appreciated

Probably you use HTTPS connection to your router's WebGUI? Some browsers block HTTP inside HTTPS (Transmission in this firmware uses HTTP).

Try to enter to your router using HTTP, not secure HTTPS. Also make sure that:

1. You set download directory from Netgear Download manager
2. You disable Netgear Download manager

Transmission should be accessible even w/o setting swap.

If still problems, try to enter to Transmission GUI directly, using IP of your router and port 9091. I.e. if your router LAN IP is 192.168.1.1 then use:

http://192.168.1.1:9091

(it is to check that it is working)

Voxel.

 

[majeedun]

Thanks Voxel. I'm not using HTTPS, just plain non secure protocol. I have already set the download directory to Easyshare default (I think it's called USB_share, mapped to U drive in my case), and I have Netgear Downloader disabled.
I could access Transmission at port 9091 as you pointed, but there is no control buttons, i.e. can't add a torrent. I'm using Chrome.

UPDATE: Now it's working at port 9091 after clearing Chrome cache. Thank you

Sent from my ONEPLUS A3003 using Tapatalk