OpenVPN client not properly parsing synology NAS config file

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
OniNiubbo
OpenVpn Newbie
Posts: 2
Joined: Wed May 31, 2023 8:24 am

OpenVPN client not properly parsing synology NAS config file

Post by OniNiubbo » Wed May 31, 2023 8:27 am

As reported here: https://community.synology.com/enu/forum/1/post/158559
The .openvpn file generated by Synology NAS isn't well digested by newer OpenVPN clients (I can't pinpoint the exact version of OpenVPN Android client that worked).

More precisely, as reported in the linked article, the last line of the .openvpn file generated by Synology is something like:
verify-x509-name 'serveraddress.synology.me' name

And OpenVPN doesn't accept that, returning a 'Peer certificate verification failure' upon connection.

If the user changes the last line to:
verify-x509-name serveraddress.synology.me name
or:
verify-x509-name "serveraddress.synology.me" name

Everything works. I tried to open a ticket on Synology NAS customer service, but they state it's a known issue and it's OpenVPN's fault.

I tried to open a ticket on OpenVPN customer service, but they refuse to fix because they only cover commercial stuff. They redirected me here.

Fadim
OpenVPN User
Posts: 40
Joined: Mon May 15, 2023 12:14 pm

Re: OpenVPN client not properly parsing synology NAS config file

Post by Fadim » Thu Jun 01, 2023 8:09 am

I think I might have a workaround for you. There's a thread on StackOverflow where a user had a similar problem. They had to manually adjust their configuration files. Here are the steps they took:

Generate certificates (for example using XCA).
Make a copy of '/usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf' and rename it to '/usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf.user'.
Replace the certificates and keys in '/usr/syno/etc/packages/VPNCenter/openvpn/'keys.
Edit '/usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf.user' to use these certificates and keys.
Edit 'VPNConfig.ovpn' to contain the intermediate and/or root certificate, the client's certificate, and the client's private key​1​.

You might need to adapt these steps to your specific setup, but I hope this gives you a good starting point.

OniNiubbo
OpenVpn Newbie
Posts: 2
Joined: Wed May 31, 2023 8:24 am

Re: OpenVPN client not properly parsing synology NAS config file

Post by OniNiubbo » Thu Jun 01, 2023 8:20 am

Fadim wrote:
Thu Jun 01, 2023 8:09 am
I think I might have a workaround for you. There's a thread on StackOverflow where a user had a similar problem. They had to manually adjust their configuration files. Here are the steps they took:

Generate certificates (for example using XCA).
Make a copy of '/usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf' and rename it to '/usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf.user'.
Replace the certificates and keys in '/usr/syno/etc/packages/VPNCenter/openvpn/'keys.
Edit '/usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf.user' to use these certificates and keys.
Edit 'VPNConfig.ovpn' to contain the intermediate and/or root certificate, the client's certificate, and the client's private key​1​.

You might need to adapt these steps to your specific setup, but I hope this gives you a good starting point.
Simply changing the single quotes to double quotes in the last line of the '.ovpn' file generated by Synology fixes the issue.

I've gone trough the loops of contacting 2 customer supports because it would be cool to have a functioning system out of the box.

Since the fix seem trivial (changing quotes type) I guess it's easy to push the fix?

Fadim
OpenVPN User
Posts: 40
Joined: Mon May 15, 2023 12:14 pm

Re: OpenVPN client not properly parsing synology NAS config file

Post by Fadim » Fri Jun 02, 2023 9:30 am

It can be baffling when a seemingly simple fix is not implemented. Unfortunately, these issues often fall between the cracks of two organizations, each believing the problem belongs to the other. While we can hope for a streamlined solution in the future, for now, the workaround you mentioned (changing the quotes) seems to be the best bet.

Post Reply