Certificate QNap NAS420 for Android OpenVPN problem

[Eskevar]

Hi

First, let me say that english isnt my native language so I can make some mistake to translate what I can say.

HW/SW involved:
1)OpenVPN Android (installed 12/Nov/2019, today)
2)Xiaomi Note 7 Android 9 MIUI 10 updated
3)QNap NAS 420 updated
4)Fastweb (my carrier, router) cant touch this for update

I've a QNap NAS420 with QVpn Service on it. I never used VPN on this NAS before. I just updated the S.O. on QNap that recently update it, so its all new.

I've installed the service, I start and configured the OpenVPN server configuration, then saved the files for autoconfiguration on Android.
QNap export 3 files (in a single .zip file):
1)readme.txt for Win/Linux details
2)ca.crt
3)openvpn.ovpn

I configured the forward in my router for UDP Port 1194 on QNap IP.

I unzip it in my Xiaomi Note 7 after installed OpenVPN client (from Google Play Store 12/Nov/2019 so today).
The import of openvpn.ovpn go well, but when I try to start the VPN with my server, the app ask me for certificate because isnt installed.
I go to folder where is ca.crt, select it, give it a name of fantasy (I try NAS420, ca.crt, ca, NAS, mickymouse..), verified that there's "VPN/app" choosed, then press OK. Then the app ask again because there's still no certificate... and go on.
I go under certificate settings in my smartphone and I see that the certificate with the names that I choose are all installed as User Certificate.
So why OpenVPN dont see them?

QNap dont say nothing about connection in log. And after trying for many minutes still with "continue", the OpenVPN on Android dont make anything.

I miss something?

Thank You for any advice or help.

Best Regards

[TinCanTech]

Try using Inline certificate:
https://community.openvpn.net/openvpn/w ... nPage#lbAW

[Eskevar]

Hi,

thank you for the tip, but I've a question.
I see that OpenVPN client can select certificate PKCS#12 so I try to see if I can convert mine (.crt) in it but I see that OpenSSL ask me "inkey privatekey.key" file that I'vent.
You mean to do something similar?

Best Regards

[TinCanTech]

You need to know the password to open the key file ..

And you need to ensure your client config file has the following line:

Code: Select all

askpass

[Eskevar]

Hi

Here again.
After reading many answers to different question I think that add at end of openvpn.ovpn file "setenv CLIENT_CERT 0", evade the request of a certificate that probably is anyway (because is in the smartphone) used.
I try to connect in this way but I cant still have a VPN connection.

I post the log of the connection that seems to find the QNap VPN server but dont receive answer.

--------------------------------------------------------
14:45:22.624 -- ----- OpenVPN Start -----
14:45:22.625 -- EVENT: CORE_THREAD_ACTIVE
14:45:22.628 -- OpenVPN core 3.git::728733ae:Release android arm64 64-bit PT_PROXY built on Aug 14 2019 14:13:26
14:45:22.628 -- Frame=512/2048/512 mssfix-ctrl=1250
14:45:22.629 -- UNUSED OPTIONS
2 [script-security] [3]
4 [explicit-exit-notify] [1]
6 [resolv-retry] [infinite]
7 [nobind]
12 [tls-cipher] [TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-C...]
14:45:22.629 -- EVENT: RESOLVE
14:45:22.632 -- Contacting x.x.x.x:1194 via UDP
14:45:22.632 -- EVENT: WAIT
14:45:22.635 -- Connecting to [x.x.x.x]:1194 (x.x.x.x) via UDPv4
14:45:22.715 -- EVENT: CONNECTING
14:45:22.721 -- Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
14:45:22.723 -- Creds: Username/Password
14:45:22.727 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.git::728733ae:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
14:46:02.724 -- Session invalidated: KEEPALIVE_TIMEOUT
14:46:02.728 -- Client terminated, restarting in 2000 ms...
14:46:04.727 -- EVENT: RECONNECTING
--------------------------------------------------------

On my ISP router I've redict UDP port to QNap.

To check if there's some problem with different service, I try too to start a PPTP server on same QNap (with forward on Router of port TCP 1723 and TCP 47) and the connection work well: i watch a small video on QNap.

I miss to open some other port to QNap?

TY for any advice.

[TinCanTech]

14:46:02.724 -- Session invalidated: KEEPALIVE_TIMEOUT

You need to use --keepalve in your server config.

[Eskevar]

Hi

ty for the tip.
In the meantime I check with QNap if I can modify the relative service on my NAS, I like to ask you something if you permit me ^^

Reading the log, can you confirm that OpenVPN Android Client have reached the QNap when I see "EVENT: CONNECTING"?
So the problem can be "something that block the answer" or "too few time to answer"?
The firewall of my ISP dont have user log that I can check, is an admin only service I think, so I dont know if there's some service of setting that can stop the answer from a VPN.
Do you know if I must ask for something in particular at my ISP Technical Customer Care?

Thank You

[TinCanTech]

If you post your complete [sanitized] server log at verb 4 I will take a look at it.

[Eskevar]

The log is almost nothing, because what I can see its just like "- Login of user XXX data time", same for logout.
For service same story. Start, stop, not more...
Indeed very poor info and configuration on the interface.

I dont know If I can install or have access to more log or info about it.
Probably will be a yes, but I need to install something that can permit me to see thought the interface ^^

[Pippin]

Please see --log and --verb in manual 2.4:
https://community.openvpn.net/openvpn/w ... n24ManPage

[Eskevar]

Hi

ty Pippin for link, but the real problem is that on QNap NAS I just press a button to start and stop service, so first I need to understand HOW access on command line ^^
In the meantime someone will answer me in the QNap forum I'll think to make a test on an old notebook where I've WIn7 installed.
I think to install there an OpenVPN server and check if that service work or not.
If that server work I'll know that problem is QNap, if that dont work can be probably my network or ISP router.

Can be a good thing to do?

[Eskevar]

Hi

I checked by a Windows 7 OpenVPN server installed and all work well from my Xiaomi Note 7 so the problem is the OpenVPN server service on the QNap NAS 420.
Now I must understand how i can check log or configuration.

I'll update the thread asap I find a solution