Iphone ca.crt from ASUSTOR cannot add in openvpn

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
santillolu
OpenVpn Newbie
Posts: 3
Joined: Sun Nov 27, 2022 7:06 am

Iphone ca.crt from ASUSTOR cannot add in openvpn

Post by santillolu » Sun Nov 27, 2022 7:13 am

I have an asustor NAS that I use as VPN server. I want to connect with iPhone OpenVpn app with my nas, but I cannot because the certificate.
Can you help me to solve the problem?
I try to add the ca.crt to the OpenVPN file, but I think Is not correct. Below the configuration

remote MY IP CONNECTION 1194
client
dev tun
script-security 3
proto udp
nobind
float
redirect-gateway
<ca>
-----BEGIN CERTIFICATE-----
MIIECzCCAvOgAwIBAgIJAPxDeWk1Pa0RMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYD
VQQGEwJUVzEPMA0GA1UECAwGVGFpd2FuMQ8wDQYDVQQHDAZUYWlwZWkxEDAOBgNV
BAoMB0FzdXN0b3IxEDAOBgNVBAsMB0FTVVNUT1IxEDAOBgNVBAMMB0FTVVNUT1Ix
EDAOBgNVBCkMB0FTVVNUT1IxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAYXN1c3Rv
ci5jb20wHhcNMjIxMDMwMDkwMTI2WhcNMzIxMDI3MDkwMTI2WjCBmzELMAkGA1UE
BhMCVFcxDzANBgNVBAgMBlRhaXdhbjEPMA0GA1UEBwwGVGFpcGVpMRAwDgYDVQQK
.....
VR0jBBgwFoAUGAYckki/jxHMydczwhz2C1b8/a8wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAZGXnfmOyWKaSH1EmmQiIH2FnzYUK6OycyQvhd+Zfm+Cp
UnrPVRDMPrNeGyOoqvCDeFM5ye3rjgL1AE+htANNY+uA1OgGxu3zo6SJHZI4lcZF
ovFCHnDp50nzRoB+UNCfHLY8gB0SeNBhGrpUTiGLmqhVSVGEXbrGe+SapejwmbVP
NXsUAH2/17cPZw4Ajioq1b7hLIfZm7PoMpRr7nDWAWLzJOTmU5osWivWAHxja/rn
NK9yYvNXqvV1OENi7TlHTvWj4y8fMmPDNxFaSqsG59yw0F/ZO4LKHI/pwuIJ6Byg
SnGse0eg1SrqCYsS7zO1czSVLS6a1RDcMByUqG9ViQ==
-----END CERTIFICATE-----
</ca>
auth-user-pass
reneg-sec 0
cipher BF-CBC
auth SHA1
comp-lzo

Can you pls help me to understand where i make a mistake and if have other way to add the ca.crt instead of here?
thanks
Luca

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1133
Joined: Tue Feb 16, 2021 10:41 am

Re: Iphone ca.crt from ASUSTOR cannot add in openvpn

Post by openvpn_inc » Sun Nov 27, 2022 11:21 am

Hello Luca,

OpenVPN3 assumes that you normally use certificates to provide identity verification. With OpenVPN, you either do use certificates, or you don't. But this configuration only implements it half-way. It only implements verification of the server identity using the CA certificate embedded in the client certificate but it doesn't implement verification of the client identity using certificate and private key. So you've got a half-way configuration and the Connect client is trying to find the client certificate and it's not there. You can override this by adding "setenv CLIENT_CERT 0" in the client configuration file. You can also check to see if it's possible to implement client certificates on this device's OpenVPN configurations.

You can find more information here: https://openvpn.net/faq/how-to-make-the ... icate-key/

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

santillolu
OpenVpn Newbie
Posts: 3
Joined: Sun Nov 27, 2022 7:06 am

Re: Iphone ca.crt from ASUSTOR cannot add in openvpn

Post by santillolu » Sun Nov 27, 2022 12:07 pm

openvpn_inc wrote:
Sun Nov 27, 2022 11:21 am
Hello Luca,

OpenVPN3 assumes that you normally use certificates to provide identity verification. With OpenVPN, you either do use certificates, or you don't. But this configuration only implements it half-way. It only implements verification of the server identity using the CA certificate embedded in the client certificate but it doesn't implement verification of the client identity using certificate and private key. So you've got a half-way configuration and the Connect client is trying to find the client certificate and it's not there. You can override this by adding "setenv CLIENT_CERT 0" in the client configuration file. You can also check to see if it's possible to implement client certificates on this device's OpenVPN configurations.

You can find more information here: https://openvpn.net/faq/how-to-make-the ... icate-key/

Kind regards,
Johan
Thanks for your feedback!
I try but still not working, is there any specific place to add this:
"setenv CLIENT_CERT 0"

I add here, but not working:
remote MY IP CONNECTION 1194
client
dev tun
script-security 3
proto udp
nobind
float
redirect-gateway
<ca>
-----BEGIN CERTIFICATE-----
MIIECzCCAvOgAwIBAgIJAPxDeWk1Pa0RMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYD
VQQGEwJUVzEPMA0GA1UECAwGVGFpd2FuMQ8wDQYDVQQHDAZUYWlwZWkxEDAOBgNV
BAoMB0FzdXN0b3IxEDAOBgNVBAsMB0FTVVNUT1IxEDAOBgNVBAMMB0FTVVNUT1Ix
EDAOBgNVBCkMB0FTVVNUT1IxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAYXN1c3Rv
ci5jb20wHhcNMjIxMDMwMDkwMTI2WhcNMzIxMDI3MDkwMTI2WjCBmzELMAkGA1UE
BhMCVFcxDzANBgNVBAgMBlRhaXdhbjEPMA0GA1UEBwwGVGFpcGVpMRAwDgYDVQQK
.....
VR0jBBgwFoAUGAYckki/jxHMydczwhz2C1b8/a8wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAZGXnfmOyWKaSH1EmmQiIH2FnzYUK6OycyQvhd+Zfm+Cp
UnrPVRDMPrNeGyOoqvCDeFM5ye3rjgL1AE+htANNY+uA1OgGxu3zo6SJHZI4lcZF
ovFCHnDp50nzRoB+UNCfHLY8gB0SeNBhGrpUTiGLmqhVSVGEXbrGe+SapejwmbVP
NXsUAH2/17cPZw4Ajioq1b7hLIfZm7PoMpRr7nDWAWLzJOTmU5osWivWAHxja/rn
NK9yYvNXqvV1OENi7TlHTvWj4y8fMmPDNxFaSqsG59yw0F/ZO4LKHI/pwuIJ6Byg
SnGse0eg1SrqCYsS7zO1czSVLS6a1RDcMByUqG9ViQ==
-----END CERTIFICATE-----
</ca>
setenv CLIENT_CERT 0
auth-user-pass
reneg-sec 0
cipher BF-CBC
auth SHA1
comp-lzo

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1133
Joined: Tue Feb 16, 2021 10:41 am

Re: Iphone ca.crt from ASUSTOR cannot add in openvpn

Post by openvpn_inc » Sun Nov 27, 2022 2:00 pm

Hello,

Anywhere in the profile should work. That location should be fine.

I do see cipher BF-CBC being used which is not a good encryption method. Any chance you can configure it to use something like AES-256? But depending on your client, it should auto-upgrade that to AES-256 if the server supports doing that. But I know nothing about your server software unfortunately.

Then you may just be dealing with another problem entirely. Without log file output I have no idea. If you think the log contains private information it's better to submit that in a ticket at https://openvpn.net/support/ and let me know the ticket number.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

santillolu
OpenVpn Newbie
Posts: 3
Joined: Sun Nov 27, 2022 7:06 am

Re: Iphone ca.crt from ASUSTOR cannot add in openvpn

Post by santillolu » Mon Nov 28, 2022 1:34 pm

Dear Johan,
thanks to your help now I can connect!
I also changed these 2 configuratios:
Checksum (Digest) SHA256
Encryption (Cipher) AES-256-CBC
Let me know if you have other suggestions.
Thanks
Luca

Post Reply