OpenVPN Support Forum

Hello after struggeling 2 days, im gonne ask some help and hope somebody wants to help me.

the following have i tried to get connection

http://forum.synology.com...rtificates_for_connecting

ave make folders
follow this rule :

openssl req -nodes -new -x509 -keyout my-ca.key -out my-ca.crt -days 3650

then i got stucked on the next rule

openssl ca -out syn.crt -in syn.csr.

he cant find cakey.pem

thru another topic i found the following rule

openssl req -new -x509 -extensions v3_ca -keyout demoCA/private/cakey.pem -out cacert.pem -days 3650

root will be generated the file cacert.pem (moved to the private folder

after that the following rules worked

server
openssl req -nodes -new -keyout syn.key -out syn.csr (create private key)
openssl ca -out syn.crt -in syn.csr (create a public key certificate and sign it)

client

openssl req -nodes -new -keyout client.key -out client.csr
openssl ca -out client.crt -in client.csr

this generated the following files

client.crt
client.csr
client.key
syn.crt
syn.csr
syn.key
cacert.pem
cakey.pem
my-ca.crt

the following files should go to the openvpn client : my-ca.crt client.crt en client.key en dh1024.pem (last file is a key fole of the synology.
after that changed the /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf file, to the new syn.key syn.crt en my-ca.crt. services started.

CLient config zis as follow
client
dev tun
proto udp
remote 192.168.11.101 1194
redirect-gateway
persist-key
persist-tun
comp-lzo
dh /etc/openvpn/dh1024.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.key
key /etc/openvpn/client.crt

But if i start on the client i see the following error

Mon Dec 30 12:38:32 2013 OpenVPN 2.1.3 mipsel-oe-linux [SSL] [LZO2] [EPOLL] buil
t on May 9 2013
Mon Dec 30 12:38:32 2013 IMPORTANT: OpenVPN's default port number is now 1194, b
ased on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earl
ier used 5000 as the default port.
Mon Dec 30 12:38:32 2013 WARNING: No server certificate verification method has
been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Dec 30 12:38:32 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig
her to call user-defined scripts or executables
Mon Dec 30 12:38:32 2013 Cannot load certificate file /etc/openvpn/client.key: e
rror:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routin
es:SSL_CTX_use_certificate_file:PEM lib
Mon Dec 30 12:38:32 2013 Exiting

Added just now the remote-cert-tls server in the client.conf to avoid the error "No server certificate verification "


but still i would start. anyone know what i did wrong ?

Kind regards

Peter

why dont you build your keys on a win/linux pc/server?

openvpn has scripts (build-ca,build-key,build-key-server) which they does that,create keys
simple and fast...

also,

ca.crt must be present on both clients/server
dh1024.pem file must be present on server

ca.key must be placed somewhere safe...

also do not protect your server certs with a pass if you intend to start openvpn as a service..

FYI,

first you create your CA then you create a csr and you use your ca.key to sign
the previous csr and convert it into crt.

Michael.

indeed simple and fast.

step by step no problem.

but after this, still the same error.

replaced alle keys on the client, but still the same error


followed the following staps

init-config.bat
vars
clean-all

vars
build-ca

vars
build-dh

vars
build-key-server Synology

vars
build-key ET4000

in the folder keys i have the following files

01.pem
02.pem
ca.crt
ca.key
dh2048.pem
ET4000.crt
ET4000.csr
ET4000.key
index.txt
index.txt.attr
keys.txt
serial
synology.crt
synology.csr
synology.key


copied the ca,key and ET4000.crt and ET4000.key to the client

and started the openvpn with

openvpn /etc/openvpn/client.config
Thu Jan 1 01:45:44 1970 OpenVPN 2.1.3 mipsel-oe-linux [SSL] [LZO2] [EPOLL] buil
t on May 9 2013
Thu Jan 1 01:45:44 1970 IMPORTANT: OpenVPN's default port number is now 1194, b
ased on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earl
ier used 5000 as the default port.
Thu Jan 1 01:45:44 1970 WARNING: No server certificate verification method has
been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Jan 1 01:45:44 1970 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig
her to call user-defined scripts or executables
Thu Jan 1 01:45:44 1970 Cannot load certificate file /etc/openvpn/ET4000.key: e
rror:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routin
es:SSL_CTX_use_certificate_file:PEM lib
Thu Jan 1 01:45:44 1970 Exiting
.

dont know if i can test the certified files on a w32/64 openvpn connevtion ?

Yes running root

also the keys have attrrib status 777

Yesterday i was futher then now. Yersterday i got only a error that the certificate with server and client was not compatible, but i saw on my syno that connection was estabilist

Look for it with in 1 hour i am on a phone now but is n,t this a client certificate problem

LOL

the website is down at the moment

http://forum.synology.com/wiki/index.ph ... connecting

just curious,

did you set a password on ET4000.key file?

Michael.

No didnt use a password

i'm also looking at converting files from windows to linux.
but it seens to me that this also is not working.

now im going to try to run the easy-rsa script on the linux client, but linux is not that good on linux.

i'm also looking at converting files from windows to linux.

you dont need to convert keys, openvpn can read them anyway..

but linux is not that good on linux

Michael.

i meant om not that good with linux

am now generating the DH. Already 30 minutes busy on my linux client

if you use large keys (>2048) , dh params can take a while...

Michael.