Iphone ca.crt from ASUSTOR cannot add in openvpn

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
santillolu
OpenVpn Newbie
Posts: 3
Joined: Sun Nov 27, 2022 7:06 am

Iphone ca.crt from ASUSTOR cannot add in openvpn

Post by santillolu » Sun Nov 27, 2022 7:13 am

I have an asustor NAS that I use as VPN server. I want to connect with iPhone OpenVpn app with my nas, but I cannot because the certificate.
Can you help me to solve the problem?
I try to add the ca.crt to the OpenVPN file, but I think Is not correct. Below the configuration

remote MY IP CONNECTION 1194
client
dev tun
script-security 3
proto udp
nobind
float
redirect-gateway
<ca>
-----BEGIN CERTIFICATE-----
MIIECzCCAvOgAwIBAgIJAPxDeWk1Pa0RMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYD
VQQGEwJUVzEPMA0GA1UECAwGVGFpd2FuMQ8wDQYDVQQHDAZUYWlwZWkxEDAOBgNV
BAoMB0FzdXN0b3IxEDAOBgNVBAsMB0FTVVNUT1IxEDAOBgNVBAMMB0FTVVNUT1Ix
EDAOBgNVBCkMB0FTVVNUT1IxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAYXN1c3Rv
ci5jb20wHhcNMjIxMDMwMDkwMTI2WhcNMzIxMDI3MDkwMTI2WjCBmzELMAkGA1UE
BhMCVFcxDzANBgNVBAgMBlRhaXdhbjEPMA0GA1UEBwwGVGFpcGVpMRAwDgYDVQQK
.....
VR0jBBgwFoAUGAYckki/jxHMydczwhz2C1b8/a8wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAZGXnfmOyWKaSH1EmmQiIH2FnzYUK6OycyQvhd+Zfm+Cp
UnrPVRDMPrNeGyOoqvCDeFM5ye3rjgL1AE+htANNY+uA1OgGxu3zo6SJHZI4lcZF
ovFCHnDp50nzRoB+UNCfHLY8gB0SeNBhGrpUTiGLmqhVSVGEXbrGe+SapejwmbVP
NXsUAH2/17cPZw4Ajioq1b7hLIfZm7PoMpRr7nDWAWLzJOTmU5osWivWAHxja/rn
NK9yYvNXqvV1OENi7TlHTvWj4y8fMmPDNxFaSqsG59yw0F/ZO4LKHI/pwuIJ6Byg
SnGse0eg1SrqCYsS7zO1czSVLS6a1RDcMByUqG9ViQ==
-----END CERTIFICATE-----
</ca>
auth-user-pass
reneg-sec 0
cipher BF-CBC
auth SHA1
comp-lzo

Can you pls help me to understand where i make a mistake and if have other way to add the ca.crt instead of here?
thanks
Luca

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Iphone ca.crt from ASUSTOR cannot add in openvpn

Post by openvpn_inc » Sun Nov 27, 2022 11:21 am

Hello Luca,

OpenVPN3 assumes that you normally use certificates to provide identity verification. With OpenVPN, you either do use certificates, or you don't. But this configuration only implements it half-way. It only implements verification of the server identity using the CA certificate embedded in the client certificate but it doesn't implement verification of the client identity using certificate and private key. So you've got a half-way configuration and the Connect client is trying to find the client certificate and it's not there. You can override this by adding "setenv CLIENT_CERT 0" in the client configuration file. You can also check to see if it's possible to implement client certificates on this device's OpenVPN configurations.

You can find more information here: https://openvpn.net/faq/how-to-make-the ... icate-key/

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

santillolu
OpenVpn Newbie
Posts: 3
Joined: Sun Nov 27, 2022 7:06 am

Re: Iphone ca.crt from ASUSTOR cannot add in openvpn

Post by santillolu » Sun Nov 27, 2022 12:07 pm

openvpn_inc wrote:
Sun Nov 27, 2022 11:21 am
Hello Luca,

OpenVPN3 assumes that you normally use certificates to provide identity verification. With OpenVPN, you either do use certificates, or you don't. But this configuration only implements it half-way. It only implements verification of the server identity using the CA certificate embedded in the client certificate but it doesn't implement verification of the client identity using certificate and private key. So you've got a half-way configuration and the Connect client is trying to find the client certificate and it's not there. You can override this by adding "setenv CLIENT_CERT 0" in the client configuration file. You can also check to see if it's possible to implement client certificates on this device's OpenVPN configurations.

You can find more information here: https://openvpn.net/faq/how-to-make-the ... icate-key/

Kind regards,
Johan
Thanks for your feedback!
I try but still not working, is there any specific place to add this:
"setenv CLIENT_CERT 0"

I add here, but not working:
remote MY IP CONNECTION 1194
client
dev tun
script-security 3
proto udp
nobind
float
redirect-gateway
<ca>
-----BEGIN CERTIFICATE-----
MIIECzCCAvOgAwIBAgIJAPxDeWk1Pa0RMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYD
VQQGEwJUVzEPMA0GA1UECAwGVGFpd2FuMQ8wDQYDVQQHDAZUYWlwZWkxEDAOBgNV
BAoMB0FzdXN0b3IxEDAOBgNVBAsMB0FTVVNUT1IxEDAOBgNVBAMMB0FTVVNUT1Ix
EDAOBgNVBCkMB0FTVVNUT1IxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAYXN1c3Rv
ci5jb20wHhcNMjIxMDMwMDkwMTI2WhcNMzIxMDI3MDkwMTI2WjCBmzELMAkGA1UE
BhMCVFcxDzANBgNVBAgMBlRhaXdhbjEPMA0GA1UEBwwGVGFpcGVpMRAwDgYDVQQK
.....
VR0jBBgwFoAUGAYckki/jxHMydczwhz2C1b8/a8wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAZGXnfmOyWKaSH1EmmQiIH2FnzYUK6OycyQvhd+Zfm+Cp
UnrPVRDMPrNeGyOoqvCDeFM5ye3rjgL1AE+htANNY+uA1OgGxu3zo6SJHZI4lcZF
ovFCHnDp50nzRoB+UNCfHLY8gB0SeNBhGrpUTiGLmqhVSVGEXbrGe+SapejwmbVP
NXsUAH2/17cPZw4Ajioq1b7hLIfZm7PoMpRr7nDWAWLzJOTmU5osWivWAHxja/rn
NK9yYvNXqvV1OENi7TlHTvWj4y8fMmPDNxFaSqsG59yw0F/ZO4LKHI/pwuIJ6Byg
SnGse0eg1SrqCYsS7zO1czSVLS6a1RDcMByUqG9ViQ==
-----END CERTIFICATE-----
</ca>
setenv CLIENT_CERT 0
auth-user-pass
reneg-sec 0
cipher BF-CBC
auth SHA1
comp-lzo

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Iphone ca.crt from ASUSTOR cannot add in openvpn

Post by openvpn_inc » Sun Nov 27, 2022 2:00 pm

Hello,

Anywhere in the profile should work. That location should be fine.

I do see cipher BF-CBC being used which is not a good encryption method. Any chance you can configure it to use something like AES-256? But depending on your client, it should auto-upgrade that to AES-256 if the server supports doing that. But I know nothing about your server software unfortunately.

Then you may just be dealing with another problem entirely. Without log file output I have no idea. If you think the log contains private information it's better to submit that in a ticket at https://openvpn.net/support/ and let me know the ticket number.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

santillolu
OpenVpn Newbie
Posts: 3
Joined: Sun Nov 27, 2022 7:06 am

Re: Iphone ca.crt from ASUSTOR cannot add in openvpn

Post by santillolu » Mon Nov 28, 2022 1:34 pm

Dear Johan,
thanks to your help now I can connect!
I also changed these 2 configuratios:
Checksum (Digest) SHA256
Encryption (Cipher) AES-256-CBC
Let me know if you have other suggestions.
Thanks
Luca

godtooro
OpenVpn Newbie
Posts: 2
Joined: Sun Feb 12, 2023 8:20 pm

Re: Iphone ca.crt from ASUSTOR cannot add in openvpn

Post by godtooro » Sun Feb 12, 2023 8:23 pm

Dear all!
This if my first post, nice to meet you all!

I've the same problem with my iphone and this is my ovpn file:

remote my external IP 1194
client
dev tun
script-security 3
proto udp
nobind
float
redirect-gateway
<ca>-----BEGIN CERTIFICATE-----
MIIEGTCCAwGgAwIBAgIUQy3veuLMSmdp/LkWDE548qRdRtswDQYJKoZIhvcNAQEL
BQAwgZsxCzAJBgNVBAYTAlRXMQ8wDQYDVQQIDAZUYWl3YW4xDzANBgNVBAcMBlRh
aXBlaTEQMA4GA1UECgwHQXN1c3RvcjEQMA4GA1UECwwHQVNVU1RPUjEQMA4GA1UE
AwwHQVNVU1RPUjEQMA4GA1UEKQwHQVNVU1RPUjEiMCAGCSqGSIb3DQEJARYTc3Vw
cG9ydEBhc3VzdG9yLmNvbTAeFw0yMzAyMTIyMDE0MDZaFw0zMzAyMDkyMDE0MDZa
MIGbMQswCQYDVQQGEwJUVzEPMA0GA1UECAwGVGFpd2FuMQ8wDQYDVQQHDAZUYWlw
ZWkxEDAOBgNVBAoMB0FzdXN0b3IxEDAOBgNVBAsMB0FTVVNUT1IxEDAOBgNVBAMM
B0FTVVNUT1IxEDAOBgNVBCkMB0FTVVNUT1IxIjAgBgkqhkiG9w0BCQEWE3N1cHBv
cnRAYXN1c3Rvci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm
edYXm6aqTzrVIaWyXbeQKq1xfN1jQpQlqDHQcnRNsc+OJp1FtKYnpLUXSxy/+S7K
QdBZEBZiHNxNBGz5HP0Igt/UUGmxaxLhJ715P5Q41xnOoZhAxk02I4LRuhsEpXug
kg/Bi6t8Arqf9IhXpCmIVospdE2yuPhYNsSONwf9nGn2f0BIvtkehhfOhyJ7GPCO
a7d53bmZSgn7sNn7HtOSCTfQ030h8T4LFWzCTigEpn9+cShCMzi2eisacBQPHEvd
3O1C+aTUYK8fm70SRe8sb5/lOko9JVCT7XmfHVumFG/TvaiTXU/3Rgno2Z1By40X
/sBzFn8DfmjCFme9kZXJAgMBAAGjUzBRMB0GA1UdDgQWBBSfVt958UpgAwpEmQ8A
hHW2y735qTAfBgNVHSMEGDAWgBSfVt958UpgAwpEmQ8AhHW2y735qTAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB6xbI1TAuv5l4uX5BCxeHKu5F/
uo59jKQju0k/kMRzv0x5PhUTuYWUJWsRql96n63XSZEoaQoaWuBDzT8mFdRwL+nP
By6/AXTmIlz/MGaMc8DOV/tfSuZcHn0dIyIn5/VM8b+uj83hptuAgnFUJuRiCjzq
eyHByoCd4blQIQbh2nSszSx3Vp9ESvLRSVLJMcXNEZq1OjLryJk8BHDkQ02XZNLf
kkUvD6MFtpSGVzgoI+aI4/wjUK6PBS+9Kuio8wsBh+4cvuKLSR1Y4+zLANRAEe+T
igWOwRlwQ/VEX+fn0RxCeP39ax+QF/IHS2oRulqJrgLo2Gdp2T6ZTD5Sd4Pt
-----END CERTIFICATE-----</ca>
setenv CLIENT_CERT 0
auth-user-pass
reneg-sec 0
cipher AES-256-CBC
auth SHA512
comp-lzo

I'm obtaining always the same error: "ssl_context_error: OpenSSLContext:CA not defined"

From my Asustor server I obtaing two files: one ovpn and another ca.crt that I'm adding to the ovpn file.

Post Reply