Error message: Peer certificate verification failure

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Hazz
OpenVpn Newbie
Posts: 3
Joined: Thu Dec 09, 2021 9:32 am

Re: Error message: Peer certificate verification failure

Post by Hazz » Thu Jan 13, 2022 4:34 pm

Can we have an update from OpenVPN regarding this issue with OpenVPN Connect client?

snwtoy
OpenVpn Newbie
Posts: 1
Joined: Sun Jan 23, 2022 9:12 pm

Re: Error message: Peer certificate verification failure

Post by snwtoy » Tue Jan 25, 2022 2:04 am

Over 12000 views on this thread.

Same issue here, reproduceable with the same versions outlined above.

Is there an increase or change in certificate algorithm requirements which means a cert which works in previous versions is no longer strong enough in the latest version?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1052
Joined: Tue Feb 16, 2021 10:41 am

Re: Error message: Peer certificate verification failure

Post by openvpn_inc » Wed Jan 26, 2022 1:10 am

Hazz wrote:
Thu Jan 13, 2022 4:34 pm
Can we have an update from OpenVPN regarding this issue with OpenVPN Connect client?
Hi Hazz,

Sorry, no. It does seem that there is some issue for OpenVPN Connect and verification of certificates with either of these:
  • Azure Point-to-Site
  • Synology NAS
Presumably each of those are running some variation of Community edition OpenVPN server. We don't support and maintain those, so we don't have the ability to test this.

AFAIK no one in this thread has yet opened a support ticket with the details. We need that. We need logs, ideally from Connect client AND the server. If I am not correct, and someone here has opened a ticket, please reply with the ticket number, so I can look it up and reopen if necessary.

Please use the link in my signature to provide us the information to try to figure this out. I can also suggest for Azure and Synology users to open support tickets with those companies.
snwtoy wrote:
Tue Jan 25, 2022 2:04 am
Over 12000 views on this thread.

Same issue here, reproduceable with the same versions outlined above.

Is there an increase or change in certificate algorithm requirements which means a cert which works in previous versions is no longer strong enough in the latest version?
That indeed sounds like a plausible guess. Perhaps if you could get us openssl(1) x509(1) information about the server, client and CA certificates, we could check on that. If you don't know how to do that, attach those certificates (and DO NOT attach private keys) to a Support ticket. Certificates are safe to post; they do not require secure handling.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

lightxx
OpenVpn Newbie
Posts: 1
Joined: Thu Jan 27, 2022 12:13 pm

Re: Error message: Peer certificate verification failure

Post by lightxx » Thu Jan 27, 2022 12:15 pm

In my case the problem was an expired self-signed certificate on the Synology side.
The cert expired on January 24th. I don't know if this cert gets shipped from Synology or if it is created upon installing DSM (hence I don't know if it expires for everybody on that date or just me). In either way, it is NOT renewed automatically.
I got exactly the same error message when the cert expired: "Peer certificate verification failure".

The workaround is pretty easy, create a new self-signed cert, restart the Synology VPN server, remove the old config profile from all your clients, download the config profile from the Synology VPN server, and push it to the clients. Solved my problem.

Hazz
OpenVpn Newbie
Posts: 3
Joined: Thu Dec 09, 2021 9:32 am

Re: Error message: Peer certificate verification failure

Post by Hazz » Mon Jan 31, 2022 11:25 am

openvpn_inc wrote:
Wed Jan 26, 2022 1:10 am
Hazz wrote:
Thu Jan 13, 2022 4:34 pm
Can we have an update from OpenVPN regarding this issue with OpenVPN Connect client?
Hi Hazz,

Sorry, no. It does seem that there is some issue for OpenVPN Connect and verification of certificates with either of these:
  • Azure Point-to-Site
  • Synology NAS
Presumably each of those are running some variation of Community edition OpenVPN server. We don't support and maintain those, so we don't have the ability to test this.

AFAIK no one in this thread has yet opened a support ticket with the details. We need that. We need logs, ideally from Connect client AND the server. If I am not correct, and someone here has opened a ticket, please reply with the ticket number, so I can look it up and reopen if necessary.

Please use the link in my signature to provide us the information to try to figure this out. I can also suggest for Azure and Synology users to open support tickets with those companies.
snwtoy wrote:
Tue Jan 25, 2022 2:04 am
Over 12000 views on this thread.

Same issue here, reproduceable with the same versions outlined above.

Is there an increase or change in certificate algorithm requirements which means a cert which works in previous versions is no longer strong enough in the latest version?
That indeed sounds like a plausible guess. Perhaps if you could get us openssl(1) x509(1) information about the server, client and CA certificates, we could check on that. If you don't know how to do that, attach those certificates (and DO NOT attach private keys) to a Support ticket. Certificates are safe to post; they do not require secure handling.

regards, rob0
Thanks for the reply. I will gather the logs together and submit a ticket. Will update thread with ticket number too.

openvpnuser123
OpenVpn Newbie
Posts: 1
Joined: Tue Feb 01, 2022 7:33 pm

Re: Error message: Peer certificate verification failure

Post by openvpnuser123 » Tue Feb 01, 2022 7:41 pm

I'm also facing this issue when trying to connect to a Synology NAS.

Using the iOS client works fine, so it must be the Windows client that has a bug?

Looking at both logs I see this on the iOS client:

Code: Select all

IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
IV_BS64DL=1
But I see this on the Windows client:

Code: Select all

IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OCWindows_3.3.4-2600
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1
Any noticable differences that could explain the problem?

I tried different old versions and managed to download: openvpn-connect-3.1.3.713_signed.msi
This version (3.1.3.713) works fine!

This is the log of version 3.1.3.713 on Windows:

Code: Select all

IV_GUI_VER=OCmacOS_3.1.3-713
IV_VER=3.git::f225fcd0
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_BS64DL=1

Zephyr2084
OpenVpn Newbie
Posts: 1
Joined: Tue Feb 08, 2022 6:20 pm

Re: Error message: Peer certificate verification failure

Post by Zephyr2084 » Tue Feb 08, 2022 6:46 pm

Good day to all,

I want to communicate my situation as it is similar to what users are experiencing here.

My setup:
ISP Gateway -> Synology NAS OpenVPN server
Clients are Windows and Android devices using latest OpenVPN Connect version.

My findings:
Latest OpenVPN Connect on Android and OpenVPN Connect 3.3.X on Windows do not connect to the Synology NAS OpenVPN server IF the "Verify Server CN" option is checked on the Synology NAS VPN Server application.
This option will generate a client config file with the following:

</tls-auth>
verify-x509-name 'serveraddress' name

When the above is activated on the server and passed to all clients, the connection fails on Windows and Android running latest OpenVPN Connect version. HOWEVER, the connection succeeds using OpenVPN Connect 3.2.X on Windows (and used to work on Android before the last update) or the VPN GUI community supported application also on Windows.
I would consider this a solution for Windows if not for the fact that Android users are forced to use OpenVPN connect.

Disabling "Verify Server CN" on the Synology NAS Server and exporting the new config to all clients will allow the connection to work on both Android and Windows with latest OpenVPN connect.

I have approached Synology tech support on this (was also escalated to the developers) and they advise that this behavior is caused by a change in OpenVPN Connect from versions 3.2.X to 3.3.X and cite this forum as well.
To be clear, this issue was replicated by both Synology USA and their developers in Taiwan.

Hope this helps to solve the problem or at least provide a temporary workaround for the affected users.

Kind Regards

chaoscreater
OpenVpn Newbie
Posts: 1
Joined: Wed Feb 23, 2022 9:26 pm

Re: Error message: Peer certificate verification failure

Post by chaoscreater » Wed Feb 23, 2022 11:01 pm

Same here. If I use v3.3, it doesn't work (unless I remove the line starting with "verify-x509-name ..."

But if I use v2.7 or v3.2, then I don't have to remove anything in the config and it'll work fine.

DreamCypher
OpenVpn Newbie
Posts: 2
Joined: Thu Nov 07, 2013 7:06 pm

Re: Error message: Peer certificate verification failure

Post by DreamCypher » Fri May 13, 2022 9:27 pm

FYI,
I found that I did not have to remove the verify line, but instead needed to remove or replace the single-quotation marks.

Original Line: verify-x509-name 'serveraddress.synology.me' name

Working Line:
verify-x509-name serveraddress.synology.me name
OR
verify-x509-name "serveraddress.synology.me" name

Dream

ggjes
OpenVpn Newbie
Posts: 1
Joined: Wed May 25, 2022 11:17 pm

Re: Error message: Peer certificate verification failure

Post by ggjes » Wed May 25, 2022 11:18 pm

As a Mac user, it seems that OpenVPN Connect version 3.2.7 is my best hope at this point. I can't find a (reputable) link to that version anywhere on the web or openvpn.net. Does someone have a link they could provide?

DaRosenberg
OpenVpn Newbie
Posts: 2
Joined: Sat Jun 04, 2022 10:04 am

Re: Error message: Peer certificate verification failure

Post by DaRosenberg » Sat Jun 04, 2022 10:06 am

DreamCypher wrote:
Fri May 13, 2022 9:27 pm
I found that I did not have to remove the verify line, but instead needed to remove or replace the single-quotation marks.
Thank you DreamCypher!! :D This did the trick for me too!

In my case the .ovpn profile comes generated from Azure VPN Gateway, with single quotes around the remote name. Removing those single quotes as per your suggestion solved the issue!

DaRosenberg
OpenVpn Newbie
Posts: 2
Joined: Sat Jun 04, 2022 10:04 am

Re: Error message: Peer certificate verification failure

Post by DaRosenberg » Sat Jun 04, 2022 10:08 am

And a note to OpenVPN staff here who keep insisting this must be an issue with the configuration: Not sure what the config profile rules are, but it definitely seems like a bug having been introduced in the client, whereby single quotes around the remote name are being included in the name rather than trimmed away during parsing.

whatacharacter
OpenVpn Newbie
Posts: 1
Joined: Fri Aug 12, 2022 8:14 pm

Re: Error message: Peer certificate verification failure

Post by whatacharacter » Fri Aug 12, 2022 8:20 pm

DreamCypher wrote:
Fri May 13, 2022 9:27 pm
FYI,
I found that I did not have to remove the verify line, but instead needed to remove or replace the single-quotation marks.
+1
Thanks DreamCypher!
Created an account just to add another voice here confirming this is indeed the issue.

This same error occurs on Azure VPN gateway with OpenVPN when these marks are present in the .ovpn file.

daveinlv
OpenVpn Newbie
Posts: 8
Joined: Sun Jan 10, 2016 1:16 am

Re: Error message: Peer certificate verification failure

Post by daveinlv » Sat Sep 24, 2022 7:41 pm

I'm seeing the same error when I try to connect to my openvpn server. I'm currently seeing this exact error on a MacBookAir (OS 10.15.7), but am unable to connect to the server from my Android phone using the OpenVPN client for Android, nor on my Windows 10 laptop using the Windows OpenVpn client NOR my Kubuntu Linux laptop using its Openvpn. Until a few weeks ago, all of these systems were able to connect successfully to my openvpn server, which is running on an Asus RT-N66U router with FreshTomato Firmware 2022.2 MIPSR2 K26 USB AIO-64K. Version of Openvpn server used here is unknown.

All I see in the openvpn server log is the following:

Code: Select all

Sep 24 12:29:33 svnetgw daemon.notice openvpn-server1[27811]: TCP connection established with [AF_INET6]::ffff:XX.XX.XX.XX:51902
Sep 24 12:29:33 svnetgw daemon.notice openvpn-server1[27811]: XX.XX.XX.XX:51902 TLS: Initial packet from [AF_INET6]::ffff:XX.XX.XX.XX:51902, sid=6ca4fb7c ba13392e
Sep 24 12:29:33 svnetgw daemon.err openvpn-server1[27811]: XX.XX.XX.XX:51902 Connection reset, restarting [0]
Sep 24 12:29:33 svnetgw daemon.notice openvpn-server1[27811]: XX.XX.XX.XX:51902 SIGUSR1[soft,connection-reset] received, client-instance restarting
Help!!

Locked