"Select certificate" function does not work
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Oct 29, 2021 8:18 am
"Select certificate" function does not work
Hey guys, it seems that everything is configured ok on the server side but the android client reverts to an error "there was an error attempting to connect to selected servers..." after pressing the "Select certificate" button in the client. I never get a prompt to actually select a certificate. Although the certificate sits in the same folder alongside with the configuration file that imports just fine. Might this be a app related read error (android files access restrictions etc? Please assist.
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: "Select certificate" function does not work
Hello EtsSpets,
Having the certificates in the same folder as the imported config doesn't work. You need to either have the certs/key inlined in the connection profile, so they get picked up when you import the profile, or you need to reference them within OpenVPN. You can do for example in the client connection profile;
cert mycert.crt
key myprivatekey.key
And then if the files are in the same directory, that should be picked up.
I believe there should also be an option in the app to import a client certificate, and then you can point to your certificate and key and import those, and then select those. But I haven't used connection profiles personally that have this split out - usually it's all embedded in one file which makes life so much easier.
Kind regards,
Johan
Having the certificates in the same folder as the imported config doesn't work. You need to either have the certs/key inlined in the connection profile, so they get picked up when you import the profile, or you need to reference them within OpenVPN. You can do for example in the client connection profile;
cert mycert.crt
key myprivatekey.key
And then if the files are in the same directory, that should be picked up.
I believe there should also be an option in the app to import a client certificate, and then you can point to your certificate and key and import those, and then select those. But I haven't used connection profiles personally that have this split out - usually it's all embedded in one file which makes life so much easier.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Oct 29, 2021 8:18 am
Re: "Select certificate" function does not work
So what you are saying here is that the OpenVPN implementation that Synology provides is pretty much not secure as there are no server or client certs involved at all...openvpn_inc wrote: ↑Fri Nov 05, 2021 1:49 pmHello EtsSpets,
Having the certificates in the same folder as the imported config doesn't work. You need to either have the certs/key inlined in the connection profile, so they get picked up when you import the profile, or you need to reference them within OpenVPN. You can do for example in the client connection profile;
cert mycert.crt
key myprivatekey.key
And then if the files are in the same directory, that should be picked up.
I believe there should also be an option in the app to import a client certificate, and then you can point to your certificate and key and import those, and then select those. But I haven't used connection profiles personally that have this split out - usually it's all embedded in one file which makes life so much easier.
Kind regards,
Johan
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Oct 29, 2021 8:18 am
Re: "Select certificate" function does not work
I googled a bit, Synology has disabled certs in its default conf. And I cant even edit the openvpn.conf files or its file attributes over SSH...wtf
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: "Select certificate" function does not work
Hello EtsSpets,
I am not sure how you concluded from what I said that the Synology implementation of OpenVPN doesn't use certificates by default. But it appears you are somewhat right. I see that they do support the use of a certificate for verifying the server identity, but they don't support certificates to verify the client identity. This is not so bad as it seems - one particular MiTM attack at least is mitigated in this way. But you're right, it would be more secure to verify client identity with certificates too.
The OpenVPN3 library which is used in OpenVPN Connect v3 assumes by default that you are always using client and server certificates. You can choose to either use OpenVPN2 like OpenVPN GUI or Tunnelblick which doesn't make that assumption, or you can use OpenVPN Connect v3 and add into the client configuration a line like:
setenv CLIENT_CERT 0
Which informs OpenVPN to not expect a client certificate. This is a bit odd but if this is what you have... then this is how to work around this.
Ideally of course Synology would implement client certificates, and then this extra line is not necessary.
See also this FAQ document: https://openvpn.net/faq/how-to-make-the ... icate-key/
Kind regards,
Johan
I am not sure how you concluded from what I said that the Synology implementation of OpenVPN doesn't use certificates by default. But it appears you are somewhat right. I see that they do support the use of a certificate for verifying the server identity, but they don't support certificates to verify the client identity. This is not so bad as it seems - one particular MiTM attack at least is mitigated in this way. But you're right, it would be more secure to verify client identity with certificates too.
The OpenVPN3 library which is used in OpenVPN Connect v3 assumes by default that you are always using client and server certificates. You can choose to either use OpenVPN2 like OpenVPN GUI or Tunnelblick which doesn't make that assumption, or you can use OpenVPN Connect v3 and add into the client configuration a line like:
setenv CLIENT_CERT 0
Which informs OpenVPN to not expect a client certificate. This is a bit odd but if this is what you have... then this is how to work around this.
Ideally of course Synology would implement client certificates, and then this extra line is not necessary.
See also this FAQ document: https://openvpn.net/faq/how-to-make-the ... icate-key/
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Oct 29, 2021 8:18 am
Re: "Select certificate" function does not work
Thank for this. Managed to get it working, still no clue why would a vendor disable client side certs and enforce that setting so diligently.