OpenVPN certificate connection issue

Topics including remote access and management can go here, including port forwarding, telnet, ssh, and advanced network settings.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
jameskb101
Trainee
Trainee
Posts: 13
Joined: Sun Sep 02, 2012 10:11 am

OpenVPN certificate connection issue

Postby jameskb101 » Fri Apr 25, 2014 8:40 am

Hi all

Some help would be much appreciated here. I've been successfully running OpenVPN on my Synology DS212j for the last 2 years. Recently upgraded the VPN Server to Version 1.2-2414 and I can no longer VPN into my Diskstation. The error seems to be to do with a mismatch in CA certificates - OpenVPN appears to be expecting to find one issued by StartCom, but the one I export from the Synology OpenVPN configuration is issued by Synology.

I've tried to put the StartCom certificate in my client openvpn folder, but the problem remains. I have then tried to issue my own certificates/keys following the OpenVPN instructions here http://openvpn.net/index.php/open-source/documentation/howto.html#pki. I was able to generate the keys and certificates using easy-rsa, but I do not where to put once I have root access to the Diskstation. Bernard Heiser has some instructions based on an older DS model, but the directory structure has changed http://bernhard.hensler.net/2009/01/03/openvpn-and-pki-and-synology-cs407/. Synology's own Wiki entry on the subject is not clear to me I'm afraid (http://forum.synology.com/wiki/index.php/How_to_use_your_own_certificates_for_connecting)

Any help on instructions on how to restore VPN access would be much appreciated. I haven't found anything on the web which provides all the steps necessary for my issue.

OpenVPN error is thus:

Code: Select all

Fri Apr 25 08:22:56 2014 OpenVPN 2.3.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Apr 14 2014
Fri Apr 25 08:23:03 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 25 08:23:04 2014 UDPv4 link local (bound): [undef]
Fri Apr 25 08:23:04 2014 UDPv4 link remote: [AF_INET]82.xx.xx.xxx:1194
Fri Apr 25 08:23:04 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 25 08:23:04 2014 VERIFY ERROR: depth=1, error=unable to get local issuer certificate: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
Fri Apr 25 08:23:04 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Apr 25 08:23:04 2014 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 25 08:23:04 2014 TLS Error: TLS handshake failed
Fri Apr 25 08:23:04 2014 SIGUSR1[soft,tls-error] received, process restarting
Fri Apr 25 08:23:06 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 25 08:23:06 2014 UDPv4 link local (bound): [undef]
Fri Apr 25 08:23:06 2014 UDPv4 link remote: [AF_INET]82.xx.xx.xxx:1194
Fri Apr 25 08:23:06 2014 TLS Error: Unroutable control packet received from [AF_INET]82.xx.xx.xxx:1194 (si=3 op=P_CONTROL_V1)
Fri Apr 25 08:23:06 2014 VERIFY ERROR: depth=1, error=unable to get local issuer certificate: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
Fri Apr 25 08:23:06 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Apr 25 08:23:06 2014 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 25 08:23:06 2014 TLS Error: TLS handshake failed
Fri Apr 25 08:23:06 2014 SIGUSR1[soft,tls-error] received, process restarting
Fri Apr 25 08:23:08 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Apr 25 08:23:08 2014 UDPv4 link local (bound): [undef]
Fri Apr 25 08:23:08 2014 UDPv4 link remote: [AF_INET]82.xx.xx.xxx:1194
Fri Apr 25 08:23:08 2014 TLS Error: Unroutable control packet received from [AF_INET]82.xx.xx.xxx:1194 (si=3 op=P_CONTROL_V1)
Fri Apr 25 08:23:08 2014 TLS Error: Unroutable control packet received from [AF_INET]82.xx.xx.xxx:1194 (si=3 op=P_CONTROL_V1)
Fri Apr 25 08:23:09 2014 TLS Error: Unroutable control packet received from [AF_INET]82.xx.xx.xxx:1194 (si=3 op=P_CONTROL_V1)
Fri Apr 25 08:23:09 2014 TLS Error: Unroutable control packet received from [AF_INET]82.xx.xx.xxx:1194 (si=3 op=P_CONTROL_V1)
Fri Apr 25 08:23:10 2014 TLS Error: Unroutable control packet received from [AF_INET]82.xx.xx.xxx:1194 (si=3 op=P_CONTROL_V1)
Fri Apr 25 08:23:10 2014 TLS Error: Unroutable control packet received from [AF_INET]82.xx.xx.xxx:1194 (si=3 op=P_CONTROL_V1)
Fri Apr 25 08:23:11 2014 TLS Error: Unroutable control packet received from [AF_INET]82.xx.xx.xxx:1194 (si=3 op=P_CONTROL_V1)
Fri Apr 25 08:23:11 2014 TLS Error: Unroutable control packet received from [AF_INET]82.xx.xx.xxx:1194 (si=3 op=P_CONTROL_V1)
Fri Apr 25 08:23:12 2014 TLS Error: Unroutable control packet received from [AF_INET]82.xx.xx.xxx:1194 (si=3 op=P_CONTROL_V1)
Fri Apr 25 08:23:12 2014 TLS Error: Unroutable control packet received from [AF_INET]82.xx.xx.xxx:1194 (si=3 op=P_CONTROL_V1)
Fri Apr 25 08:23:13 2014 TLS Error: Unroutable control packet received from [AF_INET]82.xx.xx.xxx:1194 (si=3 op=P_CONTROL_V1)
Fri Apr 25 08:23:13 2014 TLS Error: Unroutable control packet received from [AF_INET]82.xx.xx.xxx:1194 (si=3 op=P_CONTROL_V1)
Fri Apr 25 08:23:14 2014 TLS Error: Unroutable control packet received from [AF_INET]82.xx.xx.xxx:1194 (si=3 op=P_CONTROL_V1)


Many thanks to anyone out there able to help!

James
rongrimes
I'm New!
I'm New!
Posts: 2
Joined: Fri Mar 28, 2014 3:30 am

Re: OpenVPN certificate connection issue

Postby rongrimes » Sat Apr 26, 2014 12:45 am

[Edited]
James:
We're getting a similar error and a originally posted a "me-too" message here. I've since found some likely solutions (searching for OpenVPN) including one at:
viewtopic.php?f=173&t=84908&p=319506&hilit=openvpn#p319506

(I'll try it later).
/R
fersingb
I'm New!
I'm New!
Posts: 8
Joined: Tue Jul 30, 2013 2:20 pm

Re: OpenVPN certificate connection issue

Postby fersingb » Tue May 06, 2014 1:09 am

Hi,

I also had the same issue. Here's the solution I found
jameskb101
Trainee
Trainee
Posts: 13
Joined: Sun Sep 02, 2012 10:11 am

Re: OpenVPN certificate connection issue

Postby jameskb101 » Mon May 12, 2014 2:19 pm

Thanks all, I can confirm that the second link provided by fersingb worked for me, see here: http://forum.synology.com/enu/viewtopic.php?f=173&t=84908&p=323124#p323124
drewdin
Trainee
Trainee
Posts: 13
Joined: Thu Jul 08, 2010 3:34 pm

Re: OpenVPN certificate connection issue

Postby drewdin » Tue Apr 12, 2016 12:24 am

I tried using the sugestions but it didnt work, I also noticed that the certificate sub.class1.server.ca.pem only has one line in it, is that correct?

My ca.crt looks like

-----BEGIN CERTIFICATE-----
STUFF from original ca.crt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
STUFF from ca.pem
-----END CERTIFICATE-----
class1/sha2/pem/sub.class1.server.sha2.ca.pem

Return to “Remote Access and Network Management”

Who is online

Users browsing this forum: Pioneer123 and 4 guests