iOS + Synology: Please, please, please someone help me!

[mrmrw]

I realise you all owe me nothing.

But I also please request your help as kindly as possible, as I really do require some assistance. It would be incredibly appreciated - we are talking PayPal donated appreciated here, if you can help me get working!

Anyway,

What I want is to be able to use the iOS OpenVPN app to connect to my Synology server's VPN server *out of the box* with no mods to the Synology server.

I understand the first edition of iOS OpenVPN Connect did not support this as the Synology server does not use a client certificate, just a username and password.

Does the latest iOS update now offer this feature? I tried CLIENT_CERT 0 with no luck.

My config is below. I desperately need help. Please, please, please can anyone help me? Synology are useless and offer no support here.

Many thanks,


-----

dev tun
tls-client

remote 123.456.etc.etc 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

redirect-gateway

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

dhcp-option DNS 10.0.1.1

pull

proto udp
script-security 2

<ca>
-----BEGIN CERTIFICATE-----
DGSFHJDHJVDVJHW etc....
-----END CERTIFICATE-----

</ca>

comp-lzo

reneg-sec 3600

auth-user-pass

CLIENT_CERT 0

[sumocomputers]

+1

Would love to see this work out of the box

[jamesyonan]

Change

Code: Select all

CLIENT_CERT 0

to:

Code: Select all

setenv CLIENT_CERT 0

Also, make sure you are using OpenVPN Connect 1.0.1 (iOS) or later.

James

[sumocomputers]

I can verify the iOS v1.0.1 OpenVPN update and my DS1511+ with 4.2-3211 does not work out of the box, even with :

Code: Select all

setenv CLIENT_CERT 0

I still get the following error:

Transport Error: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

Even though the steps to workaround this issue aren't that hard, I would prefer not to modify the OS FileSystem of my Synology.

I am not even sure if the problem lies with Synology, OpenVPN, or both.

Maybe 1.0.2 or 4.3 will work? Who knows.

[Alfyk]

+1
Me too
Please, help us !!

[jamesyonan]

Can you post Synology server-side OpenVPN config + iOS client config with private keys removed?

James

[lolex]

I don't know how the certificates look like that are created by Synology, but I guess it uses a CA with path length of 0. OpenVPN Connect fails to verify such certificate authorities.
See also https://community.openvpn.net/openvpn/ticket/285

This is still true for OpenVPN Connect 1.0.1

[sumocomputers]

Can you post Synology server-side OpenVPN config + iOS client config with private keys removed?

James

Synology generates 2 files. The openvpn.ovpn and ca.crt files.

I have inserted just the openvpn.ovpn file contents below. Not sure how or where to remove the private keys, since I don't see that in either file, but would be glad to if I could get a little help. I am assuming I can get them from the iOS device, but not sure how.

Code: Select all

dev tun

tls-client

remote <MY SYNOLOGY IP ADDRESS> 1194

# The "float" tells OpenVPN to accept authenticated packets from any address, 
# not only the address which was specified in the --remote option. 
# This is useful when you are connecting to a peer which holds a dynamic address 
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

redirect-gateway

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

#dhcp-option DNS

pull

proto udp

script-security 2

ca ca.crt

reneg-sec 0

auth-user-pass

setenv CLIENT_CERT 0

[jamesyonan]

We have confirmed the issue where CAs with path length of 0 are not being handled correctly. This will be fixed in 1.0.2.

James

[shardphoenix]

When is version 1.02 released...?

[trick-1]

so I had the same problem with openvpn on RasberryPI and attempting to connect using the OpenVPN Connect 1.0.1 build 88 (iOS)

What I discovered by reading http://www.openssl.org/docs/apps/x509v3_config.html was that you could set the following in the openssl.cnf file in the section [ v3_ca ]

basicConstraints = CA:true,pathlen:1

I was using the following excellent instructions to build my openvpn server on the Rasberry Pi http://blog.remibergsma.com/2013/01/05/ ... pberry-pi/

once done I setup the client.ovpn as per the instructions here https://www.witopia.net/support/setting ... e-ios/ssl/

The end result was that I was then able to connect. Prior to doing this I had been met with this exact frustration.

Now maybe someone could tell me what setting pathlen:1 has actually done