Error message: Peer certificate verification failure

[Hazz]

Can we have an update from OpenVPN regarding this issue with OpenVPN Connect client?

[snwtoy]

Over 12000 views on this thread.

Same issue here, reproduceable with the same versions outlined above.

Is there an increase or change in certificate algorithm requirements which means a cert which works in previous versions is no longer strong enough in the latest version?

[openvpn_inc]

Can we have an update from OpenVPN regarding this issue with OpenVPN Connect client?

Hi Hazz,

Sorry, no. It does seem that there is some issue for OpenVPN Connect and verification of certificates with either of these:

• Azure Point-to-Site
• Synology NAS

Presumably each of those are running some variation of Community edition OpenVPN server. We don't support and maintain those, so we don't have the ability to test this.

AFAIK no one in this thread has yet opened a support ticket with the details. We need that. We need logs, ideally from Connect client AND the server. If I am not correct, and someone here has opened a ticket, please reply with the ticket number, so I can look it up and reopen if necessary.

Please use the link in my signature to provide us the information to try to figure this out. I can also suggest for Azure and Synology users to open support tickets with those companies.

Over 12000 views on this thread.

Same issue here, reproduceable with the same versions outlined above.

Is there an increase or change in certificate algorithm requirements which means a cert which works in previous versions is no longer strong enough in the latest version?

That indeed sounds like a plausible guess. Perhaps if you could get us openssl(1) x509(1) information about the server, client and CA certificates, we could check on that. If you don't know how to do that, attach those certificates (and DO NOT attach private keys) to a Support ticket. Certificates are safe to post; they do not require secure handling.

regards, rob0

[lightxx]

In my case the problem was an expired self-signed certificate on the Synology side.
The cert expired on January 24th. I don't know if this cert gets shipped from Synology or if it is created upon installing DSM (hence I don't know if it expires for everybody on that date or just me). In either way, it is NOT renewed automatically.
I got exactly the same error message when the cert expired: "Peer certificate verification failure".

The workaround is pretty easy, create a new self-signed cert, restart the Synology VPN server, remove the old config profile from all your clients, download the config profile from the Synology VPN server, and push it to the clients. Solved my problem.

[Hazz]

Can we have an update from OpenVPN regarding this issue with OpenVPN Connect client?

Hi Hazz,

Sorry, no. It does seem that there is some issue for OpenVPN Connect and verification of certificates with either of these:

• Azure Point-to-Site
• Synology NAS

Presumably each of those are running some variation of Community edition OpenVPN server. We don't support and maintain those, so we don't have the ability to test this.

AFAIK no one in this thread has yet opened a support ticket with the details. We need that. We need logs, ideally from Connect client AND the server. If I am not correct, and someone here has opened a ticket, please reply with the ticket number, so I can look it up and reopen if necessary.

Please use the link in my signature to provide us the information to try to figure this out. I can also suggest for Azure and Synology users to open support tickets with those companies.

Over 12000 views on this thread.

Same issue here, reproduceable with the same versions outlined above.

Is there an increase or change in certificate algorithm requirements which means a cert which works in previous versions is no longer strong enough in the latest version?

That indeed sounds like a plausible guess. Perhaps if you could get us openssl(1) x509(1) information about the server, client and CA certificates, we could check on that. If you don't know how to do that, attach those certificates (and DO NOT attach private keys) to a Support ticket. Certificates are safe to post; they do not require secure handling.

regards, rob0

Thanks for the reply. I will gather the logs together and submit a ticket. Will update thread with ticket number too.

[openvpnuser123]

I'm also facing this issue when trying to connect to a Synology NAS.

Using the iOS client works fine, so it must be the Windows client that has a bug?

Looking at both logs I see this on the iOS client:

Code: Select all

IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
IV_BS64DL=1

But I see this on the Windows client:

Code: Select all

IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OCWindows_3.3.4-2600
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1

Any noticable differences that could explain the problem?

I tried different old versions and managed to download: openvpn-connect-3.1.3.713_signed.msi
This version (3.1.3.713) works fine!

This is the log of version 3.1.3.713 on Windows:

Code: Select all

IV_GUI_VER=OCmacOS_3.1.3-713
IV_VER=3.git::f225fcd0
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_BS64DL=1

[Zephyr2084]

Good day to all,

I want to communicate my situation as it is similar to what users are experiencing here.

My setup:
ISP Gateway -> Synology NAS OpenVPN server
Clients are Windows and Android devices using latest OpenVPN Connect version.

My findings:
Latest OpenVPN Connect on Android and OpenVPN Connect 3.3.X on Windows do not connect to the Synology NAS OpenVPN server IF the "Verify Server CN" option is checked on the Synology NAS VPN Server application.
This option will generate a client config file with the following:

</tls-auth>
verify-x509-name 'serveraddress' name

When the above is activated on the server and passed to all clients, the connection fails on Windows and Android running latest OpenVPN Connect version. HOWEVER, the connection succeeds using OpenVPN Connect 3.2.X on Windows (and used to work on Android before the last update) or the VPN GUI community supported application also on Windows.
I would consider this a solution for Windows if not for the fact that Android users are forced to use OpenVPN connect.

Disabling "Verify Server CN" on the Synology NAS Server and exporting the new config to all clients will allow the connection to work on both Android and Windows with latest OpenVPN connect.

I have approached Synology tech support on this (was also escalated to the developers) and they advise that this behavior is caused by a change in OpenVPN Connect from versions 3.2.X to 3.3.X and cite this forum as well.
To be clear, this issue was replicated by both Synology USA and their developers in Taiwan.

Hope this helps to solve the problem or at least provide a temporary workaround for the affected users.

Kind Regards

[chaoscreater]

Same here. If I use v3.3, it doesn't work (unless I remove the line starting with "verify-x509-name ..."

But if I use v2.7 or v3.2, then I don't have to remove anything in the config and it'll work fine.

[DreamCypher]

FYI,
I found that I did not have to remove the verify line, but instead needed to remove or replace the single-quotation marks.

Original Line: verify-x509-name 'serveraddress.synology.me' name

Working Line:
verify-x509-name serveraddress.synology.me name
OR
verify-x509-name "serveraddress.synology.me" name

Dream

[ggjes]

As a Mac user, it seems that OpenVPN Connect version 3.2.7 is my best hope at this point. I can't find a (reputable) link to that version anywhere on the web or openvpn.net. Does someone have a link they could provide?