"Select certificate" function does not work

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
EtsSpets
OpenVpn Newbie
Posts: 5
Joined: Fri Oct 29, 2021 8:18 am

"Select certificate" function does not work

Post by EtsSpets » Fri Oct 29, 2021 8:23 am

Hey guys, it seems that everything is configured ok on the server side but the android client reverts to an error "there was an error attempting to connect to selected servers..." after pressing the "Select certificate" button in the client. I never get a prompt to actually select a certificate. Although the certificate sits in the same folder alongside with the configuration file that imports just fine. Might this be a app related read error (android files access restrictions etc? Please assist.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: "Select certificate" function does not work

Post by openvpn_inc » Fri Nov 05, 2021 1:49 pm

Hello EtsSpets,

Having the certificates in the same folder as the imported config doesn't work. You need to either have the certs/key inlined in the connection profile, so they get picked up when you import the profile, or you need to reference them within OpenVPN. You can do for example in the client connection profile;

cert mycert.crt
key myprivatekey.key

And then if the files are in the same directory, that should be picked up.

I believe there should also be an option in the app to import a client certificate, and then you can point to your certificate and key and import those, and then select those. But I haven't used connection profiles personally that have this split out - usually it's all embedded in one file which makes life so much easier.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

EtsSpets
OpenVpn Newbie
Posts: 5
Joined: Fri Oct 29, 2021 8:18 am

Re: "Select certificate" function does not work

Post by EtsSpets » Sun Jan 02, 2022 7:26 pm

openvpn_inc wrote:
Fri Nov 05, 2021 1:49 pm
Hello EtsSpets,

Having the certificates in the same folder as the imported config doesn't work. You need to either have the certs/key inlined in the connection profile, so they get picked up when you import the profile, or you need to reference them within OpenVPN. You can do for example in the client connection profile;

cert mycert.crt
key myprivatekey.key

And then if the files are in the same directory, that should be picked up.

I believe there should also be an option in the app to import a client certificate, and then you can point to your certificate and key and import those, and then select those. But I haven't used connection profiles personally that have this split out - usually it's all embedded in one file which makes life so much easier.

Kind regards,
Johan
So what you are saying here is that the OpenVPN implementation that Synology provides is pretty much not secure as there are no server or client certs involved at all...

EtsSpets
OpenVpn Newbie
Posts: 5
Joined: Fri Oct 29, 2021 8:18 am

Re: "Select certificate" function does not work

Post by EtsSpets » Sun Jan 02, 2022 7:38 pm

I googled a bit, Synology has disabled certs in its default conf. And I cant even edit the openvpn.conf files or its file attributes over SSH...wtf

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: "Select certificate" function does not work

Post by openvpn_inc » Thu Jan 06, 2022 5:18 pm

Hello EtsSpets,

I am not sure how you concluded from what I said that the Synology implementation of OpenVPN doesn't use certificates by default. But it appears you are somewhat right. I see that they do support the use of a certificate for verifying the server identity, but they don't support certificates to verify the client identity. This is not so bad as it seems - one particular MiTM attack at least is mitigated in this way. But you're right, it would be more secure to verify client identity with certificates too.

The OpenVPN3 library which is used in OpenVPN Connect v3 assumes by default that you are always using client and server certificates. You can choose to either use OpenVPN2 like OpenVPN GUI or Tunnelblick which doesn't make that assumption, or you can use OpenVPN Connect v3 and add into the client configuration a line like:
setenv CLIENT_CERT 0

Which informs OpenVPN to not expect a client certificate. This is a bit odd but if this is what you have... then this is how to work around this.

Ideally of course Synology would implement client certificates, and then this extra line is not necessary.

See also this FAQ document: https://openvpn.net/faq/how-to-make-the ... icate-key/

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

EtsSpets
OpenVpn Newbie
Posts: 5
Joined: Fri Oct 29, 2021 8:18 am

Re: "Select certificate" function does not work

Post by EtsSpets » Sat Feb 12, 2022 5:49 pm

Thank for this. Managed to get it working, still no clue why would a vendor disable client side certs and enforce that setting so diligently.

Post Reply