VPN Server update breaks when not using selfsigned cert

Discussion room for Synology VPN package in DSM 3.1-1725 or above.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
MarcusJ
Novice
Novice
Posts: 41
Joined: Fri Dec 02, 2011 7:07 pm

VPN Server update breaks when not using selfsigned cert

Postby MarcusJ » Tue Apr 22, 2014 5:41 pm

We have a new DSM 5 install (was installed fresh on DSM 5 within the past month). The issue began once we performed the upgrade of the VPN Server. Once this was completed we were unable to connect from any device to the VPN server (even after deploying the new certificates to all the devices).

We are running an external certificate that was acquired through RapidSSL

It appears that the wrong certs are being present when you click "export configuration" within VPN Server. Before it would be a self signed certificate even when using an external certificate (RapidSSL in our case).

Here is the error:

Code: Select all

Tue Apr 22 11:11:44 2014 OpenVPN 2.3.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Jan  8 2013
Enter Management Password:
Tue Apr 22 11:11:53 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Apr 22 11:11:53 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Apr 22 11:11:53 2014 UDPv4 link local (bound): [undef]
Tue Apr 22 11:11:53 2014 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Tue Apr 22 11:11:54 2014 VERIFY ERROR: depth=2, error=unable to get local issuer certificate: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Tue Apr 22 11:11:54 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Apr 22 11:11:54 2014 TLS Error: TLS object -> incoming plaintext read error
Tue Apr 22 11:11:54 2014 TLS Error: TLS handshake failed
Tue Apr 22 11:11:54 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Apr 22 11:12:02 2014 ERROR: could not read Auth username/password/ok/string from management interface
Tue Apr 22 11:12:02 2014 Exiting due to fatal error


We were able to figure out a work around and reproduce the problem by doing the following:

-When installing or attempting to connect to the VPN server when using an external certificate we got the error and were unable to connect.

Work around:
-Uninstalled VPN Server
-Setup a self signed certificate
-Installed VPN Server
-Exported configuration and distributed it out to the clients and it worked fine.

then to reproduce the problem:
-uninstalled VPN Server
-imported the external certificate from RapidSSL
-installed VPN Server
-exported configuration/certificates to all the devices
-was unable to connect again with the error shown in the client log file.

We are currently running a self signed certificate and have access to the vpn server but this is not acceptable because we connect from secure locations that do not allow access to services which use a self signed certificate.

We have submitted a ticket but wanted to share the work around for others if they are effected.
User avatar
ilkevinli
Sharp
Sharp
Posts: 163
Joined: Thu Apr 19, 2012 2:05 pm

Re: VPN Server update breaks when not using selfsigned cert

Postby ilkevinli » Tue Apr 22, 2014 7:01 pm

I had the same exact issue with the same error message. I, like you, found the self-signed certificate workaround. I eventually was able to get it to work with my purchased SSL certificate by SSHing into the NAS and editing the ca files at (/usr/syno/etc/ssl) to match my Intermediate file and OpenVPN worked without the error.



MarcusJ wrote:We have a new DSM 5 install (was installed fresh on DSM 5 within the past month). The issue began once we performed the upgrade of the VPN Server. Once this was completed we were unable to connect from any device to the VPN server (even after deploying the new certificates to all the devices).

We are running an external certificate that was acquired through RapidSSL

It appears that the wrong certs are being present when you click "export configuration" within VPN Server. Before it would be a self signed certificate even when using an external certificate (RapidSSL in our case).

Here is the error:

Code: Select all

Tue Apr 22 11:11:44 2014 OpenVPN 2.3.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Jan  8 2013
Enter Management Password:
Tue Apr 22 11:11:53 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Apr 22 11:11:53 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Apr 22 11:11:53 2014 UDPv4 link local (bound): [undef]
Tue Apr 22 11:11:53 2014 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Tue Apr 22 11:11:54 2014 VERIFY ERROR: depth=2, error=unable to get local issuer certificate: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Tue Apr 22 11:11:54 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Apr 22 11:11:54 2014 TLS Error: TLS object -> incoming plaintext read error
Tue Apr 22 11:11:54 2014 TLS Error: TLS handshake failed
Tue Apr 22 11:11:54 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Apr 22 11:12:02 2014 ERROR: could not read Auth username/password/ok/string from management interface
Tue Apr 22 11:12:02 2014 Exiting due to fatal error


We were able to figure out a work around and reproduce the problem by doing the following:

-When installing or attempting to connect to the VPN server when using an external certificate we got the error and were unable to connect.

Work around:
-Uninstalled VPN Server
-Setup a self signed certificate
-Installed VPN Server
-Exported configuration and distributed it out to the clients and it worked fine.

then to reproduce the problem:
-uninstalled VPN Server
-imported the external certificate from RapidSSL
-installed VPN Server
-exported configuration/certificates to all the devices
-was unable to connect again with the error shown in the client log file.

We are currently running a self signed certificate and have access to the vpn server but this is not acceptable because we connect from secure locations that do not allow access to services which use a self signed certificate.

We have submitted a ticket but wanted to share the work around for others if they are effected.
MarcusJ
Novice
Novice
Posts: 41
Joined: Fri Dec 02, 2011 7:07 pm

Re: VPN Server update breaks when not using selfsigned cert

Postby MarcusJ » Tue Apr 22, 2014 7:03 pm

Did you happen to document that process?
User avatar
ilkevinli
Sharp
Sharp
Posts: 163
Joined: Thu Apr 19, 2012 2:05 pm

Re: VPN Server update breaks when not using selfsigned cert

Postby ilkevinli » Tue Apr 22, 2014 9:49 pm

No, but all I did was go to the path I posted above, and you'll see 4 ssl folders. Go into each one and edit the ca file with the proper ca code from RapidSSL. Then restart OpenVPN and re download the config/ca files form OpenVPN.



MarcusJ wrote:Did you happen to document that process?
fdp2
Trainee
Trainee
Posts: 19
Joined: Fri Dec 22, 2006 6:06 pm

Re: VPN Server update breaks when not using selfsigned cert

Postby fdp2 » Fri Apr 25, 2014 10:31 pm

Hi MarcusJ,

Thanks for sharing your experience.
I am suffering the same error with a StartCom certificate.
Did you get a feedback from Synology regarding this error ?
MarcusJ
Novice
Novice
Posts: 41
Joined: Fri Dec 02, 2011 7:07 pm

Re: VPN Server update breaks when not using selfsigned cert

Postby MarcusJ » Fri Apr 25, 2014 10:34 pm

I have not. I submitted a ticket the same time on my orginal post. I think they are very busy with the DSM 5 rollout.

If I don't hear back by tomorrow I'll try the fix. Will post my results here.
kenkendk
I'm New!
I'm New!
Posts: 9
Joined: Fri Mar 23, 2012 12:24 pm

Re: VPN Server update breaks when not using selfsigned cert

Postby kenkendk » Tue Apr 29, 2014 11:08 am

Any feedback on the Synology ticket?

And, is the "correct certificate" something like this:
https://www.startssl.com/certs/class1/sha1/pem/
DerOetzi
Trainee
Trainee
Posts: 14
Joined: Tue Oct 08, 2013 1:45 pm

Re: VPN Server update breaks when not using selfsigned cert

Postby DerOetzi » Wed Apr 30, 2014 9:27 am

Hi exactly same error on my site. Is there already a solution from synology?
pkroeze
I'm New!
I'm New!
Posts: 4
Joined: Thu Feb 07, 2013 1:10 pm

Re: VPN Server update breaks when not using selfsigned cert

Postby pkroeze » Wed Apr 30, 2014 10:37 am

I've got the same isssue.
jameskb101
Trainee
Trainee
Posts: 13
Joined: Sun Sep 02, 2012 10:11 am

Re: VPN Server update breaks when not using selfsigned cert

Postby jameskb101 » Thu May 01, 2014 9:35 am

I'm having a similar problem. Could someone give instructions on how to create a self-signed certificate and where (and how) to install it via SSH? Sorry if these are trivial issues to experienced users, but this is unclear to me. I imagine others are in a similar position.

Thanks for your help.

James
yogy
Novice
Novice
Posts: 57
Joined: Mon Sep 02, 2013 4:30 pm

Re: VPN Server update breaks when not using selfsigned cert

Postby yogy » Sat May 03, 2014 11:05 am

I'm also using StartSSL certs to connect to my NAS via https. I want to use these certs for OpenVPN on Synology. I don't want to use a workaround with self signed certs because I will loose secure connection to my NAS from outside.
Is there any known solution using Synology OpenVPN with StartSSL certs???
fdp2
Trainee
Trainee
Posts: 19
Joined: Fri Dec 22, 2006 6:06 pm

Re: VPN Server update breaks when not using selfsigned cert

Postby fdp2 » Sun May 04, 2014 5:31 pm

Hello,

I received the folowing answer on my Synology ticket.

Please help to re-export the certificate of VPN Server then the client can use the certificate to login again. Because the security issue of Heartbleed, we have changed the behavior of OpenVPN authentication. Each time you restart the OpenVPN or VPN Server on your DS1513+, the client needs to re-import the certificate to have a better security.


Unfortunatly, re-exporting the certificate don't change anything. And havving to change the certificate on each client after each VPN server restart is not a suitable solution. it's to heavy to manage.

This issue is rally a pain. Like many other I have had since the last DSM upgrade.

I think I'll use another solution for VPN server, this synology feature become unusable.
fersingb
I'm New!
I'm New!
Posts: 8
Joined: Tue Jul 30, 2013 2:20 pm

Re: VPN Server update breaks when not using selfsigned cert

Postby fersingb » Tue May 06, 2014 1:03 am

Hi there,

I had the exact same issue with my StartSSL certificates and OpenVPN. Here is what worked for me:

- Concatenate the startssl root CA with the startssl class1 certificate:

Code: Select all

$ cat ssl.ca.pem ssl.sub.class1.server.ca.pem > ca.crt


- In DSM -> Security -> Certificate, import your certificate, but use the ca.crt file generated above as intermediate certificate.
- Restart the VPN server
- Re-export the config to the clients

That should do it.
fdp2
Trainee
Trainee
Posts: 19
Joined: Fri Dec 22, 2006 6:06 pm

Re: VPN Server update breaks when not using selfsigned cert

Postby fdp2 » Tue May 06, 2014 9:22 pm

Hello,

Many thanks for sharing this solution.
I didn't test it cause I decided to use an other VPN solution, and uninstalled the VPN server.

I hope this will help other users.

Cheers,
kenkendk
I'm New!
I'm New!
Posts: 9
Joined: Fri Mar 23, 2012 12:24 pm

Re: VPN Server update breaks when not using selfsigned cert

Postby kenkendk » Fri May 09, 2014 9:05 pm

Great idea with multiple certs.

I did not want to re-import the whole thing again, so I tried something else, and it turns out it is a problem with the client not accepting the signed certificate (in my setup at least).

I took the ca.crt file that you get when exporting the configuration from Synology and opened with a text editor.
Then I grabbed these two certificates:
https://www.startssl.com/certs/ca.pem
https://www.startssl.com/certs/sub.class1.server.ca.pem

And added them to the ca.crt file, and now my client (Tunnelblick) can connect.

Return to “VPN Server”

Who is online

Users browsing this forum: jc95 and 2 guests